Re: Securing OSPFv3 with GDOI

kasper123 · ‎07-14-2022

Hi,

I have a GDOI setup that encrypts IPv6 traffic between routers. I would also like to encrypt the OSPFv3 between those routers but wasn't able to get it working yet.

What access list entries do I need to use to encrypt the OSPFv3 traffic?

Thank you in advance.

Rob Ingram · ‎07-14-2022

@kasper123 you don't, you explictly do not encrypt routing protocol traffic when using GETVPN.

kasper123 · ‎07-14-2022

@Rob Ingram why not? This traffic also needs be encrypted but without OSPFv3 encryption.

As GDOI is already in place I have a requirement to use it also for this.

Rob Ingram · ‎07-14-2022

@kasper123 because you are relying on the routing protocol to route those encrypted packets.

kasper123 · ‎07-14-2022

@Rob Ingram no, the routers are in the same subnet and I don't rely on this routing protocol to route the encrypted packets.

MHM Cisco World · ‎07-14-2022

so finally you decide to use GET to secure the OSPF,
can you draw topolgy and include the KS location.

MHM Cisco World · ‎07-14-2022

you need ACL with GET

kasper123 · ‎07-14-2022

@MHM Cisco World routers are in different sites connected over xconnect. Effectively they are in the same L2 domain with IPv6 addresses in the same subnet.

KS server is independent and running over IPv4. I encrypt only IPv6 with GDOI.

MHM Cisco World · ‎07-14-2022

the ACL use in GM work like filter to filter which traffic will be secure and which not.
the ACL will start with deny control traffic, control traffic include the routing protocol that make GM and KS reachable.
and you can after deny control traffic only add permit any any.