在OSPFv3网络中互为OSPFv3邻居的设备接口上配置OSPFv3 IPSec,防止伪造的OSPFv3协议报文对设备进行非法攻击。
组网需求
如图1所示,RouterA和RouterB透过一段公共网络相连,RouterA和RouterB之间运行OSPFv3。如果不定义任何认证机制,RouterA和RouterB之间的路由协议报文很可能会被网络中的攻击者更改或者仿冒,造成RouterA和RouterB的邻接关系断开,或者引入错误路由。
为了防止上述情况发生,在RouterA和RouterB之间配置IPSec安全隧道,对它们收发的OSPFv3报文进行安全保护。安全协议采用ESP(Encapsulating Security Payload),认证算法采用SHA-1(Secure Hash Algorithm-1)。
配置思路
采用如下的思路配置IPSec for OSPFv3特性:
配置OSPFv3基本功能,使RouterA和RouterB之间能够建立OSPFv3路由。
配置安全提议,以决定需要实施的安全协议、认证算法等。
配置安全联盟参数。
OSPFv3进程上应用安全联盟,以实现IPSec对RouterA和RouterB之间OSPFv3路由协议报文的保护。
数据准备
为完成此配置例,需要准备如下数据:
设备名称 | Router ID | Process ID | IPv6地址 | 安全索引参数SPI | 字符串密钥 |
RouterA | 1.1.1.1 | 1 | GE1/0/1: 2001:DB8:100::1/64 | 12345 | Huawei-123 |
RouterB | 2.2.2.2 | 1 | GE1/0/1: 2001:DB8:100::2/64 | 12345 | Huawei-123 |
操作步骤
- 在RouterA和RouterB上配置OSPFv3。
# 配置RouterA。
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ospfv3 1
[RouterA-ospfv3-1] router-id 1.1.1.1
[RouterA-ospfv3-1] area 1
[RouterA-ospfv3-1-area-0.0.0.1] quit
[RouterA-ospfv3-1] quit
# 配置RouterB。
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] ospfv3 1
[RouterB-ospfv3-1] router-id 2.2.2.2
[RouterB-ospfv3-1] area 1
[RouterB-ospfv3-1-area-0.0.0.1] quit
[RouterB-ospfv3-1] quit
- 在接口上配置IPv6地址并使能OSPFv3。
# 配置RouterA。
[RouterA] ipv6
[RouterA] interface gigabitethernet1/0/1
[RouterA-GigabitEthernet1/0/1] ipv6 enable
[RouterA-GigabitEthernet1/0/1] ipv6 address 2001:DB8:100::1 64
[RouterA-GigabitEthernet1/0/1] ospfv3 1 area 1
[RouterA-GigabitEthernet1/0/1] quit
# 配置RouterB。
[RouterB] ipv6
[RouterB] interface gigabitethernet1/0/1
[RouterB-GigabitEthernet1/0/1] ipv6 enable
[RouterB-GigabitEthernet1/0/1] ipv6 address 2001:DB8:100::2 64
[RouterB-GigabitEthernet1/0/1] ospfv3 1 area 1
[RouterB-GigabitEthernet1/0/1] quit
- 在RouterA和RouterB上创建安全提议。
# 在RouterA上创建安全提议。
[RouterA] ipsec proposal proposal1
[RouterA-ipsec-proposal-proposal1] encapsulation-mode transport
[RouterA-ipsec-proposal-proposal1] transform esp
[RouterA-ipsec-proposal-proposal1] undo esp encryption-algorithm
[RouterA-ipsec-proposal-proposal1] esp authentication-algorithm sha1
[RouterA-ipsec-proposal-proposal1] quit
# 在RouterB上创建安全提议。
[RouterB] ipsec proposal proposal2
[RouterB-ipsec-proposal-proposal2] encapsulation-mode transport
[RouterB-ipsec-proposal-proposal2] transform esp
[RouterB-ipsec-proposal-proposal2] undo esp encryption-algorithm
[RouterB-ipsec-proposal-proposal2] esp authentication-algorithm sha1
[RouterB-ipsec-proposal-proposal2] quit
# 在RouterA和RouterB上执行display ipsec proposal命令以查看配置信息。以RouterA显示内容为示例。
[RouterA] display ipsec proposal
Total IP security proposal number: 1
IP security proposal name: proposal1
encapsulation mode: transport
transform: esp-new
ESP protocol: authentication MD5-HMAC-96, not use encryption
- 配置IPSec SA,并在RouterA和RouterB的SA上应用提议。
# 配置IPSec SA并在RouterA的SA上应用提议。
[RouterA] ipsec sa sa1
[RouterA-ipsec-sa-sa1] proposal proposal1
[RouterA-ipsec-sa-sa1] quit
# 配置IPSec SA并在RouterB的SA上应用提议。
[RouterB] ipsec sa sa2
[RouterB-ipsec-sa-sa2] proposal proposal2
[RouterB-ipsec-sa-sa2] quit
- 在RouterA和RouterB上配置安全参数索引(SPI)及字符串格式密钥。
# 在RouterA上配置安全参数索引(SPI)和字符串格式密钥。
[RouterA] ipsec sa sa1
[RouterA-ipsec-sa-sa1] sa spi inbound esp 12345
[RouterA-ipsec-sa-sa1] sa spi outbound esp 12345
[RouterA-ipsec-sa-sa1] sa string-key inbound esp Huawei-123
[RouterA-ipsec-sa-sa1] sa string-key outbound esp Huawei-123
[RouterA-ipsec-sa-sa1] quit
# 在RouterB上配置安全参数索引(SPI)和字符串格式密钥。
[RouterB] ipsec sa sa2
[RouterB-ipsec-sa-sa2] sa spi outbound esp 12345
[RouterB-ipsec-sa-sa2] sa spi inbound esp 12345
[RouterB-ipsec-sa-sa2] sa string-key outbound esp Huawei-123
[RouterB-ipsec-sa-sa2] sa string-key inbound esp Huawei-123
[RouterB-ipsec-sa-sa2] quit
- 为OSPFv3进程配置安全联盟。
# 在RouterA的OSPFv3进程上配置SA。
[RouterA] ospfv3 1
[RouterA-ospfv3-1] ipsec sa sa1
[RouterA-ospfv3-1] quit
# 在RouterB的OSPFv3进程上配置SA。
[RouterB] ospfv3 1
[RouterB-ospfv3-1] ipsec sa sa2
[RouterB-ospfv3-1] quit
- 验证配置结果。
# 在RouterA和RouterB上执行display ipsec sa命令以查看配置。以RouterA上的显示内容为示例。
[RouterA] display ipsec sa
IP security association name: sa1
Number of references: 1
proposal name: proposal1
inbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
inbound ESP setting:
ESP spi: 12345 (0x3039)
ESP string-key: b{br9\zi%X+/Y@:Y>Lw(L\v#
ESP encryption hex key:
ESP authentication hex key:
outbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
outbound ESP setting:
ESP spi: 12345 (0x3039)
ESP string-key: D0>GQf"}w2@X,k6.E\Z,z\{#
ESP encryption hex key:
ESP authentication hex key:
# 执行display ipsec statistics命令,可以查看报文的统计信息,包括入方向/出方向的安全报文数目、丢弃的报文数目等。如果有入方向/出方向的安全报文计数,则说明配置成功。例如:
[RouterA] display ipsec statistics
IPv6 security packet statistics:
input/output security packets: 184/19
input/output security bytes: 13216/1312
input/output dropped security packets: 0/0
dropped security packet detail:
memory process problem: 0
can't find SA: 0
queue is full: 0
authentication is failed: 0
wrong length: 0
replay packet: 0
too long packet: 0
invalid SA: 0
policy deny: 0
the normal packet statistics:
input/output dropped normal packets: 0/0
IPv4 security packet statistics:
input/output security packets: 0/0
input/output security bytes: 0/0
input/output dropped security packets: 0/0
dropped security packet detail:
memory process problem: 0
can't find SA: 0
queue is full: 0
authentication is failed: 0
wrong length: 0
replay packet: 0
too long packet: 0
invalid SA: 0
policy deny: 0
the normal packet statistics:
input/output dropped normal packets: 0/0
配置文件
RouterA的配置文件
#
sysname RouterA
#
ipsec proposal proposal1
encapsulation-mode transport
esp authentication-algorithm sha1
undo esp encryption-algorithm
#
ipsec sa sa1
proposal proposal1
sa spi inbound esp 12345
sa string-key inbound esp cipher %^%#b{br9\zi%X+/Y@:Y>Lw(L\v#%^%#
sa spi outbound esp 12345
sa string-key outbound esp cipher %^%#D0>GQf"}w2@X,k6.E\Z,z\{#%^%#
#
ospfv3 1
router-id 1.1.1.1
ipsec sa sa1
area 0.0.0.1
#
ipv6
#
interface GigabitEthernet1/0/1
undo shutdown
ipv6 enable
ipv6 address 2001:DB8:100::1/64
ospfv3 1 area 0.0.0.1
#
RouterB的配置文件
#
sysname RouterB
#
ipsec proposal proposal2
encapsulation-mode transport
esp authentication-algorithm sha1
undo esp encryption-algorithm
#
ipsec sa sa2
proposal proposal2
sa spi inbound esp 12345
sa string-key inbound esp cipher %^%#VlrZ=1vTW":z9:%F`[a=o[t#%^%#
sa spi outbound esp 12345
sa string-key outbound esp cipher %^%#)YTP%@nFE7bL^B&WSBiQ1[p#%^%#
#
ospfv3 1
router-id 2.2.2.2
ipsec sa sa2
area 0.0.0.1
#
ipv6
#
interface GigabitEthernet1/0/1
undo shutdown
ipv6 enable
ipv6 address 2001:DB8:100::2/64
ospfv3 1 area 0.0.0.1
#