OSPFv3 Authentication

OSPFv3 IPsec Authentication

The rapid development of networks poses higher requirements for network security. Routing protocol packets that are transmitted on networks may be illegally obtained, changed, or forged, and packet attacks may cause network interruption. Therefore, packets need to be protected.

Standard protocols do not define any authentication mechanisms for OSPFv3. Therefore, OSPFv3 packets do not carry any authentication information.

Standard protocol defines the use of the IP Security (IPsec) mechanism to authenticate OSPFv3 packets.

The IPsec protocol family, which consists of a series of protocols defined by the Internet Engineering Task Force (IETF), provides high-quality, interoperable, and cryptology-based security for IP packets.

By encrypting data and authenticating the data source at the IP layer, communicating parties can ensure confidentiality, data integrity, data source authentication, and anti-replay for the data transmitted across the network.

  • Confidentiality: The data is encrypted and transmitted in cipher text.

  • Data integrity: Received packets are authenticated to check whether they have been modified.

  • Data authentication: The data source is authenticated to ensure that the data is sent from a real sender.

  • Anti-replay: The attacks from malicious users who repeatedly send obtained data packets are prevented. Specifically, the receiver rejects old or repeated data packets.

IPsec adopts two security protocols: Authentication Header (AH) security and Encapsulating Security Payload (ESP):

  • AH: A protocol that provides data origin authentication, data integrity check, and anti-replay protection. AH does not encrypt packets to be protected.

    AH data is carried in the following fields:

    • IP version
    • Header length
    • Packet length
    • Identification
    • Protocol
    • Source and destination addresses
    • Options
  • ESP: A protocol that provides IP packet encryption and authentication mechanisms besides the functions provided by AH. The encryption and authentication mechanisms can be used together or independently.

OSPFv3 Authentication Trailer

Prior to the OSPFv3 Authentication Trailer, OSPFv3 can use only IPsec for authentication. However, on some special networks, a mobile ad hoc network (MANET) for example, IPsec is difficult to deploy and maintain. To address this problem, standard protocol introduces Authentication Trailer for OSPFv3, which provides another approach for OSPFv3 to implement authentication.

In OSPFv3 authentication, an authentication field is added to each OSPFv3 packet for encryption. When a local device receives an OSPFv3 packet from a remote device, the local device discards the packet if the authentication password carried in the packet is different from the local one, which protects the local device against potential attacks. Therefore, OSPFv3 authentication improves network security.

Based on the applicable scope, OSPFv3 authentication is classified as follows:

  • Area authentication

    Area authentication is configured in the OSPFv3 area view and applies to packets received by all interfaces in an OSPF area.

  • Process authentication

    Process authentication is configured in the OSPFv3 view and applies to all packets in an OSPF process.

  • Interface authentication

    Interface authentication is configured in the interface view and applies to all packets received by the interface.

OSPFv3 uses HMAC-SHA256 to authenticate packets. In HMAC-SHA256 authentication, a password is encrypted using the HMAC-SHA256 algorithm before being added to a packet, which improves password security.

Each OSPFv3 packet carries an authentication type in the header and authentication information in the tail.

The authentication types are as follows:

  • 1: simple authentication

  • 2: ciphertext authentication

Networking Application of OSPFv3 Authentication Trailer

Figure 1 OSPFv3 authentication trailer on a broadcast network

The configuration requirements are as follows:

  • Interface authentication configurations must be the same on all devices of the same network so that OSPFv3 neighbor relationships can be established.

  • Area authentication configurations must be the same on all devices in the same area.

Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >