No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Routing 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - IP Routing
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring OSPFv3 Authentication

Configuring OSPFv3 Authentication

OSPFv3 authentication can help to authenticate sent and received OSPFv3 packets, protect devices against forged OSPFv3 packets.

Usage Scenario

OSPFv3 IPSec uses a complete set of IPSec mechanisms to authenticate sent and received OSPFv3 packets, protecting devices against pseudo OSPFv3 packets.

However, on some specicial networks, a mobile ad hoc network (MANET) for example, IPSec is difficult to deploy and maintain. To address this problem, standard protocols introduces Authentication Trailer for OSPFv3, which provides another approach for OSPFv3 to implement authentication.

In OSPFv3 Authentication trailer, an authentication field is added to each OSPFv3 packet for encryption. When a local device receives an OSPFv3 packet from a remote device, the local device discards the packet if the authentication password carried in the packet is different from the local one, which protects the local device against potential attacks. Therefore, OSPFv3 authentication improves network security.

Pre-configuration Tasks

Before configuring OSPFv3 authentication, complete the following tasks:

Configuration Procedures

Perform one or more of the following configurations as required.

Configuring OSPFv3 IPsec

OSPFv3 IPsec provides a set of IPsec mechanisms to authenticate sent and received OSPFv3 packets, protecting devices against invalid OSPFv3 packets.

Usage Scenario

OSPFv3 IPsec uses a set of IPsec mechanisms to authenticate sent and received OSPFv3 packets, protecting devices against invalid OSPFv3 packets.

Configuring an IPsec Proposal

Proposal defines encryption and authentication algorithms to authenticate OSPFv3 protocol packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec proposal proposal-name

    A security proposal is created and the security proposal view is displayed.

  3. Run encapsulation-mode transport

    The protocol packet encapsulation mode is configured.

  4. (Optional) Run transform { ah | ah-esp | esp }

    A security protocol is configured.

  5. An authentication algorithm and an encryption algorithm are configured based on the selected security protocol.

    • When Authentication Header (AH) is configured, run the ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } command to configure a corresponding authentication algorithm.

      NOTE:

      To ensure high security, do not use the MD5/SHA1 algorithm as the AH authentication algorithm.

    • When ESP is configured, run the esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } command to configure a corresponding authentication algorithm.

      NOTE:

      To ensure high security, do not use the MD5/SHA1 algorithm as the ESP authentication algorithm.

    • When ESP is configured, run the esp encryption-algorithm { des | 3des | aes [ 128 | 192 | 256 ] } command to configure the ESP encryption algorithm.

      NOTE:

      To ensure high security, do not use the DES/3DES algorithm as the ESP encryption algorithm.

  6. Run commit

    The configuration is committed.

Configuring an IPsec SA

To create a manual IPsec tunnel, you need to use the SPI, string-key, authentication-hex, or encryption-hex.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec sa sa-name

    An SA is created and the SA view is displayed.

  3. Run proposal proposal-name

    A security proposal is applied to the SA.

    NOTE:

    A security proposal must be configured before it can be associated with protocol packet flows.

    One SA can use only one security proposal. If a security proposal has been applied to an SA, the SA can use another security proposal only after the original one is deleted.

  4. Run sa spi { inbound | outbound } { ah | esp } spi-number

    The SPI is configured. It ranges from 256 to 4294967295.

    NOTE:

    The SPI uniquely identifies an SA. The inbound and outbound SPIs are configured, and the inbound SPI on the local end must be the same as the outbound SPI on the peer end.

  5. Either the sa authentication-hex or sa string-key command can be used to configure the authentication key.
    1. Run sa authentication-hex { inbound | outbound } { ah | esp } [ cipher ] key-cipher-key

      An authentication key in hexadecimal format or cipher text is configured.

    2. Run sa string-key { inbound | outbound } { ah | esp } [ cipher ] string-cipher-key

      An authentication key in string format is configured.

    NOTE:

    The authentication key for outgoing protocol packets on the local end must be identical with that for incoming protocol packets on the peer end.

    If multiple authentication keys are configured, the latest one takes effect.

    It is recommended to update keys periodically.

  6. (Optional) Run sa encryption-hex { inbound | outbound } esp [ cipher ] hex-cipher-key

    An encryption key is configured.

  7. Run commit

    The configuration is committed.

Enabling OSPFv3 IPsec

A Security Association (SA) configured in an OSPFv3 process or OSPFv3 area is used to authenticate packets of the process.

Context

Perform the following steps on the router that runs OSPFv3:

Procedure

  • Enable IPsec in an OSPFv3 process.
    1. Run system-view

      The system view is displayed.

    2. Run ospfv3 [ process-id ]

      The OSPFv3 view is displayed.

    3. Run ipsec sa sa-name

      An SA is configured in the OSPFv3 process.

      An OSPFv3 process can be associated with multiple OSPFv3 areas. An SA applied in the OSPFv3 process can be used in the associated areas.

    4. Run commit

      The configuration is committed.

  • Enable IPsec in an OSPFv3 area.
    1. Run system-view

      The system view is displayed.

    2. Run ospfv3 [ process-id ]

      The OSPFv3 view is displayed.

    3. Run area area-id

      The OSPFv3 area view is displayed.

    4. Run ipsec sa sa-name

      An SA is configured in the OSPFv3 area.

      NOTE:

      The SA configured on an OSPFv3 area takes precedence over that configured in an OSPFv3 process.

    5. Run commit

      The configuration is committed.

  • Enable IPsec in an OSPFv3 area.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run ospfv3 ipsec sa sa-name

      An SA in the view of an OSPFv3 interface is configured.

      NOTE:
      • The SA configured in the interface view takes precedence over that configured in the OSPFv3 area view or the OSPFv3 process view.
      • The ospfv3 ipsec sa command can be used on all the OSPFv3 instances of an interface.

    4. Run commit

      The configuration is committed.

Configuring OSPFv3 Authentication Trailor

Open Shortest Path First version 3 (OSPFv3) supports packet authentication, enabling OSPFv3 devices to receive only the OSPFv3 packets that are authenticated. If packets fail to be authenticated, OSPFv3 neighbor relationships cannot be established. This section describes how to configure an authentication mode.

Applicable Environment

OSPFv3 Authentication Trailor supports keychain and HMAC-SHA256 authentications.

Before you configure keychain authentication, run the keychain command to configure a keychain, the key-id command to configure a key ID, the key-string command to configure a password, and the algorithm command to configure an algorithm. If these commands are not run, OSPFv3 authentication fails.

NOTE:
By default, authentication is not configured for OSPF process, area or interface. Configuring authentication is recommended to ensure system security.

When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simpletext if you select simpletext mode, which has a high risk. To ensure device security, change the password periodically.

Procedure

  • Configure OSPFv3 area authentication.
    1. Run system-view

      The system view is displayed.

    2. Run ospfv3 [ process-id ]

      The OSPFv3 process view is displayed.

    3. Run area area-id

      The OSPFv3 area view is displayed.

    4. Run authentication-mode { hmac-sha256 key-id key-id { plain plain-text | [ cipher ] cipher-text } } [ instance-id instance-id ]

      OSPFv3 area authentication is configured.

      NOTE:

      If you use OSPFv3 area authentication, the authentication and password configurations on all NEs in the same area must be the same.

    5. Run commit

      The configuration is committed.

  • Configure OSPFv3 process authentication.
    1. Run system-view

      The system view is displayed.

    2. Run ospfv3 [ process-id ]

      The OSPFv3 process view is displayed.

    3. Run authentication-mode { hmac-sha256 key-id key-id { plain plain-text | [ cipher ] cipher-text } } [ instance-id instance-id ]

      OSPFv3 process authentication is configured.

    4. Run commit

      The configuration is committed.

  • Configure OSPFv3 interface authentication.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run ospfv3 authentication-mode { hmac-sha256 key-id key-id { plain plain-text | [ cipher ] cipher-text } } [ instance instance-id ]

      OSPFv3 interface authentication is configured.

      NOTE:

      OSPFv3 interface authentication takes precedence over OSPFv3 area authentication. If you use HMAC-SHA256 authentication, the authentication and password configurations on all the interfaces on the same network segment must be the same.

    4. Run commit

      The configuration is committed.

Verifying the Configuration of OSPFv3 Authentication

After configuring OSPFv3 authentication, you can check the configurations.

Prerequisites

OSPFv3 authentication has been configured.

Procedure

  • Run the display ospfv3 [ process-id ] command to view the SA applied in a specified process.
  • Run the display ospfv3 [ process-id] area [ area-id ] command to view the SA applied in a specified area.

Example

Run the display ospfv3 [ process-id ] command to view the SA configured in an OSPFv3 process.

<HUAWEI> display ospfv3
 Routing Process "OSPFv3 (1)" with ID 0.0.0.0
 Route Tag: 0
 Multi-VPN-Instance is not enabled
 SPF Intelligent Timer[millisecs] Max: 10000, Start: 500, Hold: 1000
 For router-LSA and network-LSA:
  LSA Originate Intelligent Timer[millisecs] Max: 5000, Start: 500, Hold: 1000
 For other LSAs:
  LSA Originate Interval 5 seconds
  LSA Arrival Intelligent Timer[millisecs] Max: 1000, Start: 500, Hold: 500
 Default ASE parameters: Metric: 1 Tag: 1 Type: 2
 Number of AS-External LSA 0. AS-External LSA's Checksum Sum 0x0
 Number of AS-Scoped Unknown LSA 0. AS-Scoped Unknown LSA's Checksum Sum 0x0
 Number of FULL neighbors 0
 Number of Exchange and Loading neighbors 0
 Maximum ASE LS ID 1 and Unused list Count 0
 Number of LSA originated 0
 Number of LSA received 0
 SPF Count          : 0
 Non Refresh LSA    : 0
 Non Full Nbr Count : 0
 Number of areas in this router is 1
 IP security association configured: sa1

Run the display ospfv3 [ process-id ] area [ area-id ] command to view the SA configured in an OSPFv3 area.

<HUAWEI> display ospfv3 area
OSPFv3 Process (1)
 Area BACKBONE(0) Status: down
       Number of interfaces in this area is 0
       SPF algorithm executed 0 times
       Number of LSA 0. Checksum Sum 0x0000
       Number of Unknown LSA 0
       Area Bdr Router count: 0
       Area ASBdr Router count: 0
       IP security association configured: sa1
 Area 0.0.0.1 Status: InActive
       Number of interfaces in this area is 1
       SPF algorithm executed 3 times
       Number of LSA 4. Checksum Sum 0x23AC8
       Number of Unknown LSA 0
       Area Bdr Router count: 0
       Area ASBdr Router count: 1
       IP security association configured: sa2
 Area 0.0.0.2 Status: down
       Number of interfaces in this area is 0
       SPF algorithm executed 0 times
       Number of LSA 0. Checksum Sum 0x0000
       Number of Unknown LSA 0
       Area Bdr Router count: 0
       Area ASBdr Router count: 0
       IP security association configured: sa3
Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058916

Views: 34111

Downloads: 49

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next