Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 12
Registered: ‎02-21-2013

OSPFv3 encryption between Brocade and Cisco possible?

I may be misunderstanding something, but I've not been able to get Brocade and Cisco equipment to talk OSPFv3 with authentication or encryption enabled.  I'm probably confused but I think my Brocade devices are setting up neighbors without authentication even when it's specified, on both FastIron SX and MLXe platforms.

Here's what I've run into.  I'm adding SX800's and MLXe's to a network that includes Cisco IOS and IOS-XE devices.

  • Brocade's manual for both platforms points out that the only supported authentication algorithm is SHA1.
  • The manuals also point out that the only authentication protocol is ESP.
  • The manuals make no mention of an encryption algorithm for the payload, nor do the relevant commands have an option for it, whether the options are really usable or just one value.
  • I believe, if you're using an "ipv6 ospf authentication" command on Brocade, that what you end up with is SHA1 auth with ESP. Since the manual makes no mention of this, I can't be sure, but it makes sense based on the behavior I see.
  • On the Cisco side they support MD5 or SHA1 for just doing authentication via AH (ipv6 ospf auth ipsec spi # key) if you choose to use the "ipv6 ospf authentication" command and don't need encryption of the payload.
  • Or, you can choose to do encryption, which uses ESP packets just like the Brocade, but uses a different command (ipv6 ospf encryption ipsec spi #).  However, at that point, your encryption options are 3des, aes-cbc, des and null.  If you specify null, you can then choose md5 or sha1 for your authentication followed by your key.

So quick summary, sounds like Brocade only offers you one option, sha1 authentication in esp packets with no encryption, or no auth and no encryption.  Cisco lets you do just authentication, using sha1 or md5, or encryption with sha1 or md5 authentication, and 3des, aes-cbc, des or null encryption.

The only working ospfv3 setup I have come up with is to set "ipv6 ospf authentication null" on my Cisco interfaces that talk to Brocade, then also set "ipv6 ospf encryption ipsec SPI # esp null sha1 KEY".  I have yet to confirm with Cisco what it means if you are specifying sha1 auth in the encryption option while simultaneously specifying auth null as your auth parameter.  The 'show' output on the Cisco side suggests 'null encryption' and 'authentication null' which I'd take to mean as none of either.

The weird part is that if I have that set on the Cisco side, and authentication set up on the Brocade side, the devices seem to accept these unauthenticated and unencrypted packets from the Cisco devices and set up the adjacency anyway.  On the plus side, they only seem to do it if the SPI number and key match.  So my questions end up being:

1) For true encryption, I believe Brocade would need to add support for that using a compatible protocol to match Cisco, such as AES?

2) I'm okay with just authentication for the time being, but is that what I'm really getting?  Cisco says I'm not, Brocade says I am if I look at "show ipv6 ospf int X" on each side.  I don't know enough about ESP to know if what is happening is effectively authentication.

Occasional Contributor
Posts: 12
Registered: ‎02-21-2013

Re: OSPFv3 encryption between Brocade and Cisco possible?

Okay, to answer my own question after many hours of digging around and the help of Cisco support, here's the relevant info:

  • Brocade's manual with regard to OSPFv3 and IPSec is quite poor.  A simple chart and one sentence of additional information would make it dramatically easier to configure:

-------------------------------------

Supported IPSec Protocols:  ESP (no AH support)

Supported ESP encryption algorithms:  NULL

Supported ESP authentication algorithms:  SHA1

Please note that in a multi-vendor network, you may need to enable encryption (with the algorithm set to null) in place of, or along with, authentication set to SHA1.

-------------------------------------

  • So the first issue here is that for reasons unknown, Brocade chose to only implement ESP but to also only do authentication.  This of course doesn't make a lot of sense because if you're only planning to do authentication, you're better off doing AH instead of ESP because it protects more of the packet.
  • Second issue is that in the Cisco world, the "ipv6 ospf authentication" command is what you use if you're only doing authentication, and since it provides better security, it only uses AH.  Brocade also uses the "ipv6 ospf authentication" command but their version only uses ESP, with the undocumented fact that the encryption in the ESP packets will be null.
  • Third issue that served to confuse me more; the Brocade manual, in a table named "Area configuration of IPSec"  incorrectly states that "New (Inbound or Outbound) --  Shows new SPI (if changed), authentication algorithm (currently ESP only), encryption algorithm (currently SHA1 only), and the new key."   That makes absolutely no sense; SHA1 is not an encryption algorithm, ESP is not an authentication algorithm or encryption algorithm, and no mention of the fact that there is actually no encryption supported.
  • Fourth issue was my not realizing that you have to use the "ipv6 ospf encryption" command on the Cisco side if you want ESP packets to make it compatible with the Brocade, but also needing to specify null for the encryption.
  • Fifth issue, the output of the Cisco "show ipv6 ospf interface X" command is misleading.  It has two lines related to authentication; one is the interface authentication and the second is the area authentication.  So in my case, since my area authentication is incompatible with Brocade's IPSec implementation, I have to disable area authentication from the interface while also enabling encryption at the interface.  So the Cisco output looks like this:

  NULL encryption SHA-1 auth SPI 1000, secure socket UP (errors: 0)

  authentication NULL

     What that really means is my interface actually is doing ESP with sha1 auth, but that the area auth has been disabled.

So there we have it, a five minute config turned into a day; ugh.

Anyone running into this, the config you need on each side is:

Cisco:

ipv6 ospf authentication null

ipv6 ospf encryption ipsec spi #### esp null sha1 KEY

Brocade:

ipv6 ospf authentication ipsec spi #### esp sha1 KEY

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook