IPv4 OSPF authentication is implemented within the IPv4 OSPF protocol. However, IPv6 OSPF security (both authentication and encryption) is implemented by using IPSec. Because OSPF uses both multicast messages and unicast messages, it is not possible to use dynamic tunnels for OSPF traffic. Instead, manual tunnels must be used. The IBM® Configuration Assistant for z/OS® Communications Server automates the process of creating IPv6 OSPF tunnels. The following information describes the process of manually creating the IPv6 OSPF tunnel definitions.
It is expected that the same manual tunnel is to be used for all link-local unicast and multicast traffic. Additional tunnels might be used for IPv6 OSPF virtual links.
Because multicast traffic is one-to-many, the manual tunnel must use the same Security Parameter Index (SPI) and keys for inbound and outbound traffic. Whatever SPI values and keys are used must be coordinated with all IPv6 OSPF peers on the LAN segment. Also, because this manual tunnel is to be used to protect traffic with various source and destination addresses, you must specify any6 for the local and remote security endpoint locations. The following example uses AH authentication using the SHA algorithm, and ESP encryption using the DES algorithm.
IpManVpnAction tunnel-ipv6ospf-internal
{
LocalSecurityEndpointAddr any6
RemoteSecurityEndpointAddr any6
HowToAuth AH HMAC_SHA1
AuthOutboundSa 2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
AuthInboundSa 2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
HowToEncrypt DES
EncryptOutboundSa 2701 0x3e6dcf72459ef551
EncryptInboundSa 2701 0x3e6dcf72459ef551
HowToEncap transport
}
For the filter rules, you first need to create an IP service to describe the OSPF traffic. To distinguish the traffic, you specify the OSPF protocol, and the SECCLASS of the interfaces on which the traffic will flow. For the purpose of this example, assume that the interfaces for the LAN segment that is being protected are defined with SECCLASS 10.
IpService service-ipv6ospf-internal
{
Protocol ospf
Direction bidirectional
Routing local
SecurityClass 10
}
You now need to define three filter rules to match the OSPF traffic. The first filter rule matches all link-local unicast traffic on the LAN segment:
IpFilterRule ipv6ospf-unicast-internal
{
IpSourceAddr fe80::/10
IpDestAddr fe80::/10
IpServiceRef service-ipv6ospf-internal
IpGenericFilterActionRef ipsec-nolog
IpManVpnActionRef tunnel-ipv6ospf-internal
}
The remaining two filter rules are for the OSPF link-local multicast traffic. The first rule matches outbound multicast traffic, which has a link-local unicast source address and a link-local multicast destination address. The second rule matches inbound multicast traffic, which has a remote (destination) address that is link-local unicast, and a local (source) address that is link-local multicast. These rules are as follows:
IpFilterRule ipv6ospf-outbound-multicast-internal
{
IpSourceAddr fe80::/10
IpDestAddr ff02::/16
IpServiceRef service-ipv6ospf-internal
IpGenericFilterActionRef ipsec-nolog
IpManVpnActionRef tunnel-ipv6ospf-internal
}
IpFilterRule ipv6ospf-inbound-multicast-internal
{
IpSourceAddr ff02::/16
IpDestAddr fe80::/10
IpServiceRef service-ipv6ospf-internal
IpGenericFilterActionRef ipsec-nolog
IpManVpnActionRef tunnel-ipv6ospf-internal
}