Technical Documentation
New
Related Documentation
Understanding OSPFv3 Authentication
OSPFv3 does not have a built-in authentication method and relies on IPsec to provide this functionality. OSPFv3 uses the IP authentication header (AH) and the IP Encapsulating Security Payload (ESP) portions of the IPsec Protocol to authenticate routing information. You can secure specific OSPFv3 interfaces and protect OSPFv3 virtual links.
Use ESP with NULL encryption to provide authentication to the OSPFv3 protocol headers only. Use AH to provide authentication to the OSPFv3 protocol headers, portions of the IPv6 header, and portions of the extension headers. Use ESP with non-NULL encryption for full confidentiality. You configure the actual IPsec authentication separately.
The following restrictions apply to IPsec authentication for OSPFv3:
- Dynamic IKE SAs are not supported.
- Only IPsec transport mode is supported. Tunnel mode is not supported.
- Because only bidirectional manual SAs are supported, all OSPFv3 peers must be configured with the same IPsec SA. You configure a manual bidirectional SA at the [edit security ipsec] hierarchy level.
- You must configure the same IPsec SA for all virtual links with the same remote endpoint address.
