IPsec for IPv6 routing protocols
You can use IPsec to protect routing information and defend against attacks for IPv6 routing protocols.
The S5500-EI switches support using IPsec for OSPFv3, IPv6 BGP, and RIPng; the S5500-SI switches only
support using IPsec for RIPng.
IPsec enables these IPv6 routing protocols to encapsulate outbound protocol packets and de-encapsulate
inbound protocol packets with the AH or ESP protocol. If an inbound protocol packet is not IPsec
protected, or fails to be de-encapsulated, for example, due to decryption or authentication failure, the
routing protocol discards that packet.
You must manually configure SA parameters in an IPsec policy for IPv6 routing protocols. The IKE key
exchange mechanism is applicable only to one-to-one communications. IPsec cannot implement
automatic key exchange for one-to-many communications on a broadcast network, where routers must
use the same SA parameters (SPI and key) to process packets for a routing protocol.
Protocols and standards
Protocols and standards relevant to IPsec are as follows:
RFC 2401, Security Architecture for the Internet Protocol
•
RFC 2402, IP Authentication Header
•
RFC 2406, IP Encapsulating Security Payload
•
RFC 4552, Authentication/Confidentiality for OSPFv3
•
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see
Configuring IPsec
IPsec can be implemented based on ACLs or applications:
ACL-based IPsec uses ACLs to identify the data flows to be protected. To implement ACL-based IPsec,
•
configure IPsec policies, reference ACLs in the policies, and apply the policies to physical interfaces
(see
"Implementing ACL-based
implementing IPsec flexibly.
•
Application-based IPsec protects the packets of a service. This IPsec implementation method can be
used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the
routing mechanism. To configure service-based IPsec, configure manual IPsec policies and bind the
policies to an IPv6 routing protocol. See
Implementing ACL-based IPsec
To ensure a successful ACL-based IPsec setup, read the feature restrictions and guidelines carefully before
you configure an ACP-based IPsec tunnel.
IPsec"). By using ACLs, you can customize IPsec policies as needed,
"Configuring IPsec for IPv6 routing
283
"Configuring
FIPS") and non-FIPS mode.
protocols."