OSPF v3 security

The Host Network Accelerator OSPF v3 supports an optional authentication trailer that is similar to the OSPF v2 cryptographic authentication and most other IGPs (IS-IS, RIP, RIPng).

The OSPF v3 authentication trailer is described in RFC 7166.

OSPF v3 authentication configuration

By default, OSPF v3 authentication is disabled.

The OSPF v3 authentication parameters are defined at the interface level.

Configuring cryptographic authentication

OSPF v3 cryptographic authentication appends an authentication trailer at the end of messages, containing a key identifier (the SA ID), a sequence number and a message digest. The message digest is a one-way function of the OSPF v3 protocol packet and a secret key.

First define a key chain in the global / routing context, shared by all routing protocols in all VRFs:

vsr running config# / routing key-chain keychain2 key 3 cryptographic-algorithm hmac-sha256
vsr running config#! / routing key-chain keychain2 key 3 secret K{yp@ss3/&#*314
vsr running config# / routing key-chain keychain2 key 3 accept-lifetime start 2025-02-01@12:42:00
vsr running config# / routing key-chain keychain2 key 3 accept-lifetime end 2025-06-30@23:59:59
vsr running config# / routing key-chain keychain2 key 3 send-lifetime start 2025-02-02@00:00:00
vsr running config# / routing key-chain keychain2 key 3 send-lifetime end 2025-06-29@23:59:59
vsr running config# / routing key-chain keychain2 key 5 cryptographic-algorithm hmac-sha256
vsr running config#! / routing key-chain keychain2 key 5 secret K{yp@ss5/&#*<42>
vsr running config# / routing key-chain keychain2 key 5 accept-lifetime start 2025-02-01@00:00:00
vsr running config# / routing key-chain keychain2 key 5 send-lifetime start 2025-02-02@00:00:00

For each interface, reference the key chain:

vsr running config# / vrf main routing interface eth1 ipv6 ospf6 authentication-key-chain keychain2

Note

accept-lifetime and send-lifetime are optional.

OSPF v3 supports 16 bit key IDs ranging from 0 to 65535.

Disabling OSPF v3 authentication

Remove OSPF v3 authentication on the interface:

vsr running config# del / vrf main routing interface eth1 ipv6 ospf6 authentication-key-chain