OSPFv3 for IPv4 (hooray address families!)

March 8, 2015 - By Jon Major

OSPFv3 is a pretty slick upgrade to OSPFv2. Most of us know as much, but in an IPv4 world we’re all just stuck… waiting. Well with recent updates to IOS (I noticed it available in 15.3 – which can run on a 7200 in GNS3 for all you labbers at home) OSPFv3 now supports multiple address families. So much like with EIGRP named mode, we’re seeing Cisco migrating routing protocols to follow the format of MP-BGP. The catch 22 with IPv4 routing with OSPFv3 you do have to have IPv6 unicast-routing enabled, AND all participating interfaces have to have IPv6 link-local addressing. The reason being, as we’ll see in Wireshark, is that even though we’re relaying information about IPv4 prefixes all communication with OSPFv3 is still done in IPv6. So let’s get into the configuration, and we’ll double back on packet level details.

Topology:

SP-METRO
!
conf t
!
ipv6 unicast-routing
!
router ospfv3 1
address-family ipv4 <– support for VRF here!
!
!
interface Ethernet0/0
no switchport
ip address 200.1.1.1 255.255.255.252
ipv6 enable
ospfv3 1 ipv4 area 0.0.0.0
!
!
interface Ethernet0/1
no switchport
ip address 200.1.2.1 255.255.255.252
ipv6 enable
ospfv3 1 ipv4 area 0.0.0.0
!
!
interface Ethernet0/2
no switchport
ip address 200.1.3.1 255.255.255.252
ipv6 enable
ospfv3 1 ipv4 area 0.0.0.0

R1
!
ipv6 unicast-routing
!
router ospfv3 1
address-family ipv4 unicast
!
!
interface Ethernet0/1
ip address 200.1.1.2 255.255.255.252
ipv6 enable
ospfv3 1 ipv4 area 0.0.0.0
!
!
interface Loopback0
description LAN NETWORK
ip address 192.168.1.1 255.255.255.0
ipv6 enable
ospfv3 1 ipv4 area 0.0.0.0

Also we have very similar configurations on R2 and R3. After a few seconds you should see a nice console prompt “%OSPFv3-5-ADJCHG: Process 1, IPv4, …” letting us know that we have an OSPFv3 peer within the IPv4 address family. Important take way from this is that if you do enable IPv6 address families, while it will run with the same routing process it does require a second neighbor adjacency. Another important note on that is if you’re running both IPv4 and IPv6 address families, you’ll have separate OSPF data bases for each addr family.

So show commands! Let’s see what we get, then we’ll take a look some wireshark info.

R1#show ip ospf neighbor
R1##CRAP
R1#show ip route ospf
R1##Double Crap!!

Wait?! What the hell’s going on here?! I can feel the tension building at home, put your pitch fork down. I didn’t lie to you. ‘show ip ospf’ explicitly refers to OSPFv2… and we don’t have any v2 neighbors. Same with ‘show ip route ospf’, we don’t have any v2 routes. Let’s try this again.

R1#show ospfv3 neighbor
OSPFv3 1 address-family ipv4 (router-id 192.168.1.1)
Neighbor ID Pri State Dead Time Interface ID Interface
200.1.3.1 1 FULL/DR 00:00:39 17 Ethernet0/1
R1#show ip route ospfv3 | b ^Gateway
Gateway of last resort is not set
200.1.2.0/30 is subnetted, 1 subnets
O 200.1.2.0 [110/20] via 200.1.1.1, 00:55:43, Ethernet0/1
200.1.3.0/30 is subnetted, 1 subnets
O 200.1.3.0 [110/20] via 200.1.1.1, 00:55:43, Ethernet0/1

Like a promised, here’s a quick wireshark off R1’s Eth 0/1 interface, again important take away is that even though we’re exchanging IPv4 prefixes, v3 send it’s hellos and LS information with IPv6 addresses. If you go back to the configuration above, that’s why “ipv6 enable” has to be enabled. Alternatively, you can also just assign IPv6 link local addresses manually… if you just like killing time.

Pop Quiz hot shot! FF02::5 is obviously an OSPF multicast address, but which one? Also what do you think the other OSPFv3 multicast address is? Answer here(select text after): FF02::5 is the ospfv3 all ospf routers group, like 224.0.0.5. FF02::6 is the ospfv3 DR group, again like 224.0.0.6.

The benefits of deploying OSPFv3 for your IPv4 networks are pretty sweet. The most obvious benefit, it lines you up perfectly for when you actually deploy IPv6 internally (in 1000 years). The next one, that I really like, you can start leveraging v3’s security. That’s right… IPsec. Lets take a look at that configuration real quick.

Now like ospfv2, authentication can be enabled per-link or globally for an entire area. I’ll the area-wide method here, and cover the per-link in a future post/video (it’s not vastly different).

SP-METRO
!
router ospfv3 1
area 0.0.0.0 authentication ipsec spi 912 sha1 0123456789012345678901234567890123456789
!
address-family ipv4 unicast
!

Notice on the area wide configuration you enable IPsec outside of any address-family. Again, making transitioning to IPv6 that much easier, you don’t have to reconfigure security. So let’s break this down. I think ‘area 0.0.0.0 authentication’ is pretty straight forward, so is the ‘ipsec’ portion of the command. Unless you didn’t know OSPFv3 secured its routing with IPsec… then that might have been a surprise. The next part “spi” or Security Parameter Index, is a fairly arbitrary number between 256 and 4294967295. When enabling ospfv3 authentication per-interface the SPI has to be unique for each interface on the local router, and spi’s have to match between neighbors. Area-wide, a single spi is just fine – since that’s the only option for area wide authentication lol. After we specify an spi value we can choose to either use an md5 or sha1 hash. For SHA1 the hash value has to be 40 characters long, so for demonstration purposes I copied ‘0123456789’ into notepad, copied and pasted three times. In the real world, obviously, you’ll want something a bit more secure.

So there you have it! I’ll have a video coming soon going into a bit more detail, but it’s been a while since I posted anything and I thought this would be a good topic to start covering.

Related Posts

First post in a long while, so I did a video on EIGRP OTP and GETVPN.

Cisco IOS & SNMP: A backdoor into devices you can’t access.

FlexVPN: Spoke-2-Spoke PSK

Leave a ReplyCancel reply

Discover more from HOP16