Dell EMC SmartFabric OS10 User Guide Release 10.5.0

Unlike OSPFv2, OSPFv3 does not have authentication fields in its protocol header to provide security. To provide authentication and confidentiality, OSPFv3 uses IP Security (IPsec) — a collection of security protocols for authenticating and encrypting data packets. OS10 OSPFv3 supports IPsec using the IPv6 authentication header (AH) or IPv6 encapsulating security payload (ESP).

• AH authentication verifies that data is not altered during transmission and ensures that users are communicating with the intended individual or organization. The authentication header is inserted after the IP header with a value of 51. MD5 and SHA1 authentication types are supported; encrypted and unencrypted keys are supported.
• ESP encryption encapsulates data, enabling data protection that follows in the datagram. The ESP extension header is inserted after the IP header and before the next layer protocol header. 3DES, DES, AES-CBC, and NULL encryption algorithms are supported; encrypted and unencrypted keys are supported.

You can only enable one authentication or encryption security protocol at a time on an interface or for an area. Enable IPsec AH using the ipv6 ospf authentication command; enable IPsec ESP with the ipv6 ospf encryption command.

• A security policy configured for an area is inherited on all interfaces in the area by default.
• A security policy configured on an interface overrides any area-level configured security for the area where the interface is assigned.
• The configured authentication or encryption policy applies to all OSPFv3 packets transmitted on the interface or in the area. The IPsec security associations are the same on inbound and outbound traffic on an OSPFv3 interface.
• There is no maximum AH or ESP header length because the headers have fields with variable lengths.