No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

OSPFv3 and secuity policy rules

Publication Date:  2016-11-30 Views:  85 Downloads:  0
Issue Description

We are trying to establish an OSPFv3 adjacency over an USG6000 firewall, but the adjacency stops in EXSTART state.

topology:

Router1------- USG firewall-------- Router2

For configuring the security policies we define the source/destination zones and enable OSPF service

#                                                                              
 rule name t
  source zone trust
  destination zone untrust                                                                                                                 
  service OSPFv3                                                               
  action permit                                                                
#
Well this is not enough because the interface stops in EXSTART. Check the OSPF status below

Alarm Information

<usg>displ ospfv peer
18:46:03  2016/10/26

OSPFv3 Process (1)
OSPFv3 Area (0.0.0.0)
Neighbor ID     Pri   State            Dead Time   Interface  Instance ID
1.0.2.2           1   ExStart/Backup   00:00:36    Vlanif1000       0

Handling Process

Interesting fact, is when changing the OSPFv3 network type from broadcast default to P2P, the adjacency went to Full state.

How to explain this?




Root Cause

For Broadcast network type situation, the DB description packets are sent as unicast to the firewall and the firewall will filter the DB description packet according to the security policies. In this situation, the OSPF process does not go further than the Exstart stage because the security policies of the firewall might not  allowing traffic exchange between the local zone of the firewall and the zone to which the OSPF enabled interface belonged.

For P2P network type, OSPF hello packets are send in multicast mode, to DIP ff02::5 and ff02::6. Multicast data will not be checked against source IP and destination IP in our defined security policy and because of this it will establish the adjacency.

Going further we can see that for OSPFv3 routers are sending OSFP DBD using link-local IP addresses. Check below a snip from a OSPFv3 packet capture.

Solution

We will need to adjust the traffic policy to include local zone and link-local IP addresses.

#                                                                              
 rule name t
  source zone trust
  destination zone untrust
  source zone local
  source-address FE80:: 10                                                     
  destination-address FE80:: 10
                                                                                                                                                          
  service OSPFv3                                                               
  action permit                                                                
#

Suggestions
none

END