Authentication
the following example is for IPv6 OSPFv3 authentication between R2 and R3
R2:
|
interface FastEthernet1/0
no ip address
speed auto
duplex auto
ipv6 address 2000:23::2/64
ipv6 ospf authentication ipsec spi 256 sha1
0123456789012345678901234567890123456789
ipv6 ospf 1 area 0
|
R3:
|
interface FastEthernet1/0
no ip address
speed auto
duplex auto
ipv6 address 2000:23::3/64
ipv6 ospf authentication ipsec spi 256 sha1
0123456789012345678901234567890123456789
ipv6 ospf 1 area 0
|
Note that SPI (Security Protocol Index) should be identical
on both routers.
The authentication is part of the IPv6 Header, and as you
can see it’s not encrypting the entire packet only authenticate the identities
between R2 and R3. So a MITM can still see the content of the OSPF packets that
R2 and R3 exchanging.
Encryption
R2:
|
interface FastEthernet1/0
no ip address
speed auto
duplex auto
ipv6 address 2000:23::2/64
ipv6 ospf encryption ipsec spi 256 esp
aes-cbc 256 0123456789012345678901234567890123456789012345678901234567890123
sha1 0123456789012345678901234567890123456789
ipv6 ospf 1 area 0
|
R3:
|
interface FastEthernet1/0
no ip address
speed auto
duplex auto
ipv6 address 2000:23::3/64
ipv6 ospf encryption ipsec spi 256 esp
aes-cbc 256 0123456789012345678901234567890123456789012345678901234567890123
sha1 0123456789012345678901234567890123456789
ipv6 ospf 1 area 0
|
Now the OSPF packet are totally encrypted and we can’t see
nothing! so no MITM here!
No comments:
Post a Comment