No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - VPN

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Application in OSPFv3

IPSec Application in OSPFv3

Service Overview

Stable and reliable routes provide a solid basis for network communication. OSPFv3 is widely applied to ASs and therefore requires high levels of protection. OSPFv3 itself does not define any authentication mechanism; therefore, if no additional authentication mechanism is configured for OSPFv3, packets will be prone to be intercepted, modified, or faked. This can potentially affect OSPFv3 neighbor relationships and interrupt network communication.

RFC 4552 introduces IPSec for authenticating OSPFv3 packets. An AH or ESP header inserted into an OSPFv3 packet provides a basis for data origin authentication and data integrity authentication, protecting OSPFv3 neighbor relationships and network communication.

Networking Description

As shown in Figure 2-14, SwitchA and SwitchB run OSPFv3 and are reachable. To prevent packets along the route between SwitchA and SwitchB from being intercepted or faked, IPSec is configured between SwitchA and SwitchB.

Figure 2-14  Typical Networking of IPSec Application in OSPFv3

Feature Deployment

IPSec can be deployed in an OSPFv3 process or area or on an interface.

OSPFv3 allows multiple instances on each link, and each instance is identified by the instance-id field. The IPSec header, however, does not support the instance-id field. Therefore, all OSPFv3 instances on an interface use the same SA.

As shown in Figure 2-14, IPSec is configured on all interfaces so that OSPFv3 neighbor relationships are set up only when IPSec authentication succeeds. Packets that fail IPSec authentication or undergo different authentication modes on IPSec peers will be dropped.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178118

Views: 159194

Downloads: 159

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next