Brocade Communications Systems FastIron SX 800 Configuration Manual page 314

Configuring OSPFv3
Interface and area IPsec considerations
This section describes the precedence of interface and area IPsec configurations.
If you configure an interface IPsec by using the ipv6 ospf authentication command in the context of a specific interface, that interface's
IPsec configuration overrides the area configuration of IPsec.
If you configure IPsec for an area, all interfaces that utilize the area-wide IPsec (where interface-specific IPsec is not configured)
nevertheless receive an SPD entry (and SPDID number) that is unique for the interface.
The area-wide SPI that you specify is a constant for all interfaces in the area that use the area IPsec, but the use of different interfaces
results in an SPDID and an SA that are unique to each interface. The security policy database depends partly on the source IP address,
so a unique SPD for each interface results.
Considerations for IPsec on virtual links
The IPsec configuration for a virtual link is global, so only one security association database and one security policy database exist for
virtual links if you choose to configure IPsec for virtual links.
The virtual link IPsec SAs and policies are added to all interfaces of the transit area for the outbound direction. For the inbound direction,
IPsec SAs and policies for virtual links are added to the global database.
NOTE
The security association (SA), security protocol index (SPI), security protocol database (SPD), and key have mutual
dependencies, as the subsections that follow describe.
Specifying the key rollover timer
Configuration changes for authentication takes effect in a controlled manner through the key rollover procedure as specified in RFC
4552, Section 10.1. The key rollover timer controls the timing of the existing configuration changeover. The key rollover timer can be
configured in the IPv6 router OSPF context, as the following example illustrates.
device(config-ospf6-router)# key-rollover-interval 200
Syntax: key-rollover-interval time
The range for the key-rollover-interval is 0 through 14400 seconds. The default is 300 seconds.
Specifying the key add remove timer
The key-add-remove timer is used in an environment where interoperability with other vendors is required on a specific interface. This
parameter is used to determine the interval time when authentication addition and deletion will take effect.
The key-add-remove-interval timer can be used to set the required value globally, or on a specific interface as needed. Interface
configuration takes preference over system level configuration.
By default, the key-add-remove-interval is set to 300 seconds to smoothly interoperate with Brocade routers.
To set the key-add-remove-interval globally to 100 seconds, enter the following commands:
device(config-ospf6-router)# key-add-remove-interval 100
To set the key-add-remove-interval to 100 seconds on a specific interface, enter the following command:
device(config-if-e1000-1/1/10)#ipv6 ospf authentication ipsec key-add-remove-interval 100
Syntax: [no] ipv6 ospf authentication ipsec key-add-remove-interval range
314
FastIron Ethernet Switch Layer 3 Routing
53-1003627-04