Applying an IPsec profile
To protect routing information and prevent attacks, OSPFv3 can authenticate protocol packets by using an IPsec profile. For more information about IPsec profiles, see Security Configuration Guide.
Outbound OSPFv3 packets carry the Security Parameter Index (SPI) defined in the relevant IPsec profile. A device uses the SPI carried in a received packet to match against the configured IPsec profile. If they match, the device accepts the packet. Otherwise, the device discards the packet and will not establish a neighbor relationship with the sending device.
You can configure an IPsec profile for an area, an interface, a virtual link, or a sham link.
To implement area-based IPsec protection, configure the same IPsec profile on the routers in the target area.
To implement interface-based IPsec protection, configure the same IPsec profile on the interfaces between two neighboring routers.
To implement virtual link-based IPsec protection, configure the same IPsec profile on the two routers connected over the virtual link.
To implement sham link-based IPsec protection, configure the same IPsec profile on the two routers connected over the sham link. For information about sham link, see MPLS Configuration Guide.
If an interface and its area each have an IPsec profile configured, the interface uses its own IPsec profile.
If a virtual link and area 0 each have an IPsec profile configured, the virtual link uses its own IPsec profile.
If a sham link and its area each have an IPsec profile configured, the sham link uses its own IPsec profile.
To apply an IPsec profile to an area:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter OSPFv3 view. | ospfv3 [ process-id | vpn-instance vpn-instance-name ] * | N/A |
3. Enter OSPFv3 area view. | area area-id | N/A |
4. Apply an IPsec profile to the area. | enable ipsec-profile profile-name | By default, no IPsec profile is applied. |
To apply an IPsec profile to an interface:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Apply an IPsec profile to the interface. | ospfv3 ipsec-profile profile-name | By default, no IPsec profile is applied. |
To apply an IPsec profile to a virtual link:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter OSPFv3 view. | ospfv3 [ process-id | vpn-instance vpn-instance-name ] * | N/A |
3. Enter OSPFv3 area view. | area area-id | N/A |
4. Apply an IPsec profile to a virtual link. | vlink-peer router-id [ dead seconds | hello seconds | instance instance-id | retransmit seconds | trans-delay seconds | ipsec-profile profile-name ] * | By default, no IPsec profile is applied. |
To apply an IPsec profile to a sham link:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter OSPFv3 view. | ospfv3 [ process-id | vpn-instance vpn-instance-name ] * | N/A |
3. Enter OSPFv3 area view. | area area-id | N/A |
4. Apply an IPsec profile to a sham link. | sham-link source-ipv6-address destination-ipv6-address [ cost cost | dead dead-interval | hello hello-interval | instance instance-id | ipsec-profile profile-name | retransmit retrans-interval | trans-delay delay ] * | By default, no IPsec profile is applied. |