OSPFv3 between Arista and Brocade or Cisco

Posted on

Similar to my article about Cisco and Brocade not wanting to interact with each other without a very specific configuration, you’ll likely run into the same issue if you’re trying to get Arista and Brocade devices to talk OSPFv3.  While nowhere near as inclusive as Cisco’s OSPFv3 encryption offerings, Arista’s is still better than Brocade.

Brocade offers you two ways to establish OSPFv3 adjacencies.  You can use NO security whatsoever, or you can use one single option related to IPsec, which is “IPSec using ESP headers with NULL (i.e. no) encryption and SHA1 authentication”.

Arista offers you who knows what since their manual, as of the 4.15.4F printing, doesn’t even mention the ipsec-related commands for OSPFv3 although the devices seem to support it.  After tinkering with the commands, my conclusion is Arista’s implementation of OSPFv3 supports interface and/or area-level IPSec config, AH headers with either MD5 or SHA1 auth (no encryption), or ESP headers with MD5 or SHA1 auth, and only NULL encryption.

Arista differs from Brocade by the addition of AH/MD5 or AH/SHA1, and ESP/MD5, as well as area level config if you prefer that to interface.

Cisco, even in ancient code, still leads the pack by supporting AH/MD5, AH/SHA1 for auth-only, but also ESP without encryption (like the other two), with either type of auth, and then, a choice of 3DES, AES-CBC, DES, 3DES encryption with either type of authentication.

So anyway, here’s what you’ll need to put in place on each side to get your Arista talking to Brocade.  Don’t use this for talking to Cisco if you can avoid it, that’s further down with an explanation of why.

Arista Side (example uses VLAN 10, documentation IPv6 prefixes and SPI 256, change as needed):

interface Vlan10
 ipv6 address 2001:db8::1/64
 ipv6 ospf encryption ipsec spi 256 esp null sha1 PASSPHRASE
 ipv6 ospf 1 area 0.0.0.0

Brocade Side:

interface ve10
 ipv6 address 2001:db8::2/64
 ipv6 mtu 1500
 ipv6 ospf authentication ipsec spi 256 esp sha1 PASSPHRASE
 ipv6 ospf area 0

If you’re doing Arista to Cisco OSPFv3, then my recommendation is to use AH/SHA1 instead of ESP.  This will prevent OSPFv3 packets from traversing a NAT/firewall and into your routing, if such a hole existed, since the headers of the packet are authenticated versus just the payload.  Now an attacker who has discovered a hole in your firewall can’t inject OSPFv3 packets successfully unless they get further into the network.  If you are doing OSPF through a firewall (between the routers), then you may need to use ESP/NULL instead:

Arista Side (example uses VLAN 10, documentation IPv6 prefixes and SPI 256, change as needed):

interface Vlan10
 ipv6 address 2001:db8::1/64
 ipv6 ospf authentication ipsec spi 256 sha1 PASSPHRASE
 ipv6 ospf 1 area 0.0.0.0

Cisco Side:

interface Vlan10
 ipv6 address 2001:db8::2/64
 no ipv6 redirects
 no ipv6 unreachables
 ipv6 ospf authentication ipsec spi 256 sha1 PASSPHRASE 
 ipv6 ospf 65535 area 0
 ipv6 ospf encryption null

Leave a Reply

Your email address will not be published. Required fields are marked *