Ipsec For Ipv6 Routing Protocols; Ipsec Rri; Protocols And Standards; Implementing Ipsec - HP 12500 Series Configuration Manual

IPsec for IPv6 routing protocols

You can use IPsec to protect routing information and defend against attacks for these IPv6 routing
protocols: OSPFv3, IPv6 BGP, and RIPng. IPsec enables these IPv6 routing protocols to encapsulate
outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP protocol.
If an inbound protocol packet is not IPsec protected, or fails to be de-encapsulated, for example, due to
decryption or authentication failure, the routing protocol discards that packet.
You must manually configure SA parameters in an IPsec policy for IPv6 routing protocols. The IKE key
exchange mechanism is applicable only to one-to-one communications. IPsec cannot implement
automatic key exchange for one-to-many communications on a broadcast network, where routers must
use the same SA parameters (SPI and key) to process packets for a routing protocol.

IPsec RRI

IPsec Reverse Route Inject (RRI) enables an IPsec tunnel gateway to automatically add static routes
destined for protected private networks or peer IPsec tunnel gateways to a routing table. In an MPLS
L3VPN network, IPsec RRI can add static routes to VPN instances' routing tables.
IPsec RRI is applicable to gateways, for example, a headquarters gateway that must provide many IPsec
tunnels. It frees you from the tedious work of manually configuring and maintaining static routes for IPsec
tunnels. For example, if you enable RRI on Device A in
static route to branch network 192.168.2.0/24 for the IPsec protected traffic from the headquarters to the
branch. You do not have to manually add the route by configuring the ip route-static 192.168.2.0
255.255.255.0 2.2.2.2 command.
Figure 61 An IPsec VPN
You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly
create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful
failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local
gateway.

Protocols and standards

RFC 2401, Security Architecture for the Internet Protocol
•
RFC 2402, IP Authentication Header
•
• RFC 2406, IP Encapsulating Security Payload
RFC 4552, Authentication/Confidentiality for OSPFv3
•

Implementing IPsec

IPsec can be implemented based on ACLs or applications:
ACL-based IPsec uses ACLs to identify the data flows to be protected. To implement ACL-based IPsec,
•
configure IPsec policies, reference ACLs in the policies, and apply the policies to physical interfaces
Figure 61, Device A can automatically create a
168