273
IPsec for IPv6 routing protocols
You can use IPsec to protect routing information and defend against attacks for these IPv6 routing
protocols: OSPFv3, IPv6 BGP, and RIPng. IPsec enables these IPv6 routing protocols to encapsulate
outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP protocol.
If an inbound protocol packet is not IPsec protected, or fails to be de-encapsulated, for example, due to
decryption or authentication failure, the routing protocol discards that packet.
You must manually configure SA parameters in an IPsec policy for IPv6 routing protocols. The IKE key
exchange mechanism is applicable only to one-to-one communications. IPsec cannot implement
automatic key exchange for one-to-many communications on a broadcast network, where routers must
use the same SA parameters (SPI and key) to process packets for a routing protocol.
Protocols and standards
Protocols and standards relevant to IPsec are as follows:
• RFC 2401, Security Architecture for the Internet Protocol
• RFC 2402, IP Authentication Header
• RFC 2406, IP Encapsulating Security Payload
• RFC 4552, Authentication/Confidentiality for OSPFv3
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non
-FIPS mode.
Configuring IPsec
IPsec can be implemented based on ACLs or applications:
• ACL-based IPsec uses ACLs to identify the data flows to be protected. To implement ACL-based IPsec,
configure IPsec policies, reference ACLs in the policies, and apply the policies to physical interfaces
(see “Implementing ACL-based IPsec“)
. By using ACLs, you can customize IPsec policies as needed,
implementing IPsec flexibly.
• Application-based IPsec protects the packets of a service. This IPsec implementation method can be
used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the
routing mechanism. To configure service-based IPsec, configure manual IPsec policies and bind the
policies to an IPv6 routing protocol. See “Configuring IPsec for IPv6 routing protocols.“
Implementing ACL-based IPsec
Feature restrictions and guidelines
ACL-based IPsec can protect only traffic that is generated by the device and traffic that is destined for the
device. You cannot use an ACL-based IPsec tunnel to protect user traffic. In the ACL that is used to identify
IPsec protected traffic, ACL rules that match traffic forwarded through the device do not take effect. For
To Next Page
Loading...
Need help?
General