Using IPSec to authenticate IPv6 OSPF under Linux

The IPv4 version of the OSPF routing protocol can use a shared secret to authenticate routers before forming an adjacency, in order to prevent rogue routers from affecting the routing table. Because the IPv6 specification mandates that IPSec be included in any implementation of an IPv6 network stack, the internal authentication feature of OSPF is no longer required, and has been removed from OSPFv3 (the IPv6 version of the protocol).

So if we want to authenticate neighbour routers in OSPFv3, IPSec AH needs to be set up. Cisco makes this fairly easy, however it’s a little harder under Linux because the routing service doesn’t handle the encryption internally.

Let’s start with a working OSPFv3 configuration without any authentication. Here are two Linux machines with a few network interfaces set up. Eth1 is the interface connecting the two routers over which we’ll be talking OSPF, and eth2 is an interface with a global unicast IPv6 /64 behind it – this is the subnet for which we’ll be exchanging routes across OSPF:

root@router1:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:9a:df:25 brd ff:ff:ff:ff:ff:ff
    inet 172.31.250.41/24 brd 172.31.250.255 scope global eth0
    inet6 fe80::a00:27ff:fe9a:df25/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:7e:8d:0f brd ff:ff:ff:ff:ff:ff
    inet 172.31.251.11/24 brd 172.31.251.255 scope global eth1
    inet6 fe80::a00:27ff:fe7e:8d0f/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:96:4d:f6 brd ff:ff:ff:ff:ff:ff
    inet6 2002:f0f0:f0f0:1001::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe96:4df6/64 scope link
       valid_lft forever preferred_lft forever
root@router1:~# 

root@router2:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:6b:2f:c3 brd ff:ff:ff:ff:ff:ff
    inet 172.31.250.61/24 brd 172.31.250.255 scope global eth0
    inet6 fe80::a00:27ff:fe6b:2fc3/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:b4:ce:0d brd ff:ff:ff:ff:ff:ff
    inet 172.31.251.12/24 brd 172.31.251.255 scope global eth1
    inet6 fe80::a00:27ff:feb4:ce0d/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:0e:99:57 brd ff:ff:ff:ff:ff:ff
    inet6 2002:f0f0:f0f0:1002::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe0e:9957/64 scope link
       valid_lft forever preferred_lft forever
root@router2:~# 

root@router1:~# ip -6 route
2002:f0f0:f0f0:1001::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
root@router1:~# 

root@router2:~# ip -6 route
2002:f0f0:f0f0:1002::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
root@router2:~#

I’m using quagga as the OSPF implementation in these examples, however BIRD or XORP would also work. Here’s the OSPF configuration for each of the routers:

root@router1:~# VTYSH_PAGER=cat vtysh
Hello, this is Quagga (version 0.99.13).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
router1# show run
Building configuration...
Current configuration:
!
end
!
debug ospf6 lsa unknown
!
interface eth0
 ipv6 nd suppress-ra
!
interface eth1
 ipv6 nd suppress-ra
 ipv6 ospf6 cost 1
 ipv6 ospf6 dead-interval 40
 ipv6 ospf6 hello-interval 10
 ipv6 ospf6 instance-id 0
 ipv6 ospf6 priority 1
 ipv6 ospf6 retransmit-interval 5
 ipv6 ospf6 transmit-delay 1
!
interface eth2
 ipv6 nd suppress-ra
!
interface lo
!
router ospf6
 router-id 172.31.250.41
 redistribute kernel
 redistribute connected
 redistribute static
 interface eth1 area 172.31.250.0
!
line vty
!
router1# 

root@router2:~# VTYSH_PAGER=cat vtysh
Hello, this is Quagga (version 0.99.13).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
router2# show run
Building configuration...
Current configuration:
!
end
!
debug ospf6 lsa unknown
!
interface eth0
 ipv6 nd suppress-ra
!
interface eth1
 ipv6 nd suppress-ra
 ipv6 ospf6 cost 1
 ipv6 ospf6 dead-interval 40
 ipv6 ospf6 hello-interval 10
 ipv6 ospf6 instance-id 0
 ipv6 ospf6 priority 1
 ipv6 ospf6 retransmit-interval 5
 ipv6 ospf6 transmit-delay 1
!
interface eth2
 ipv6 nd suppress-ra
!
interface lo
!
router ospf6
 router-id 172.31.250.61
 redistribute kernel
 redistribute connected
 redistribute static
 interface eth1 area 172.31.250.0
!
line vty
!
router2#

After starting quagga on both sides, the vtysh command ‘show ipv6 ospf neighbor’ will list the other routers the OSPF process has discovered. After a minute or so, the ‘state’ column in the command’s output will change to ‘Full’, and the routers will begin exchanging routes:

root@router1:~# /etc/init.d/quagga start
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra ospf6d.
root@router1:~#

root@router2:~# /etc/init.d/quagga start
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra ospf6d.
root@router2:~#

root@router1:~# VTYSH_PAGER=cat vtysh
Hello, this is Quagga (version 0.99.13).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
router1# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.31.250.61     1    00:00:32   Init/DROther         00:00:08 eth1[Waiting]
router1# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.31.250.61     1    00:00:37   Full/DR              00:00:03 eth1[BDR]
router1# show ipv6 ospf6 route
*N E1 2002:f0f0:f0f0:1002::/64       fe80::a00:27ff:feb4:ce0d    eth1 00:00:06
router1# exit
root@router1:~#

root@router2:~# VTYSH_PAGER=cat vtysh
Hello, this is Quagga (version 0.99.13).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
router2# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.31.250.41     1    00:00:32   Full/BDR             00:00:26 eth1[DR]
router2# show ipv6 ospf6 route
*N E1 2002:f0f0:f0f0:1001::/64       fe80::a00:27ff:fe7e:8d0f    eth1 00:00:29
router2# exit
root@router2:~#

These routes can also be viewed in the kernel’s route table:

root@router1:~# ip -6 route
2002:f0f0:f0f0:1001::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
2002:f0f0:f0f0:1002::/64 via fe80::a00:27ff:feb4:ce0d dev eth1  proto zebra  metric 1  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
root@router1:~#

root@router2:~# ip -6 route
2002:f0f0:f0f0:1001::/64 via fe80::a00:27ff:fe7e:8d0f dev eth1  proto zebra  metric 1  mtu 1500 advmss 1440 hoplimit 0
2002:f0f0:f0f0:1002::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
root@router2:~#

The output of tcpdump while this process is happening looks like this:

root@router1:~# tcpdump -ni eth1 ip6 protochain ospf
Warning: Kernel filter failed: Invalid argument
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:11:19.802890 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 36
11:11:20.971742 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, Hello, length 36
11:11:29.803137 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 40
11:11:30.969685 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, Hello, length 40
11:11:39.812934 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 40
11:11:40.969455 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, Hello, length 40
11:11:49.824862 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 40
11:11:50.974595 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, Hello, length 40
11:11:59.813984 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: OSPFv3, Database Description, length 28
11:11:59.829019 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 40
11:12:00.972114 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: OSPFv3, Database Description, length 28
11:12:00.972334 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: OSPFv3, Database Description, length 68
11:12:00.972925 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: OSPFv3, LS-Request, length 40
11:12:00.972937 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: OSPFv3, Database Description, length 68
11:12:00.973037 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: OSPFv3, LS-Update, length 100
11:12:00.973157 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: OSPFv3, LS-Request, length 40
11:12:00.973263 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: OSPFv3, Database Description, length 28
11:12:00.974227 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, Hello, length 40
11:12:00.974241 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: OSPFv3, LS-Update, length 100
11:12:00.974245 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, LS-Update, length 92
11:12:00.975881 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, LS-Update, length 60
11:12:03.978931 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, LS-Ack, length 96
11:12:03.980485 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, LS-Ack, length 76
11:12:09.833885 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 40
^C
24 packets captured
36 packets received by filter
0 packets dropped by kernel
root@router1:~#

So that’s OSPF running – now we need to wrap some authentication around it. In order to make the configuration simpler, I’m setting up manually keyed AH using setkey, which is part of IPsec-Tools. Manual keying means the ISAKMP step can be skipped entirely, and using AH rather than ESP the OSPF packets will be visible on the wire with the AH header attached.

The setkey script being run at each side is identical:

root@router1:~# cat linux-linux.setkey
#!/usr/sbin/setkey -f

# Router1 is fe80::a00:27ff:fe7e:8d0f
# Router2 is fe80::a00:27ff:feb4:ce0d

flush;
spdflush;

add -6 fe80::a00:27ff:fe7e:8d0f ff02::5 ah 0x10001 -A hmac-sha1 "ospfv3 shared secret";
add -6 fe80::a00:27ff:feb4:ce0d ff02::5 ah 0x10002 -A hmac-sha1 "ospfv3 shared secret";

add -6 fe80::a00:27ff:feb4:ce0d fe80::a00:27ff:fe7e:8d0f ah 0x20001 -A hmac-sha1 "ospfv3 shared secret";
add -6 fe80::a00:27ff:fe7e:8d0f fe80::a00:27ff:feb4:ce0d ah 0x20001 -A hmac-sha1 "ospfv3 shared secret";

spdadd ::/0 ::/0 ospf -P out ipsec ah/transport//require;
spdadd ::/0 ::/0 ospf -P in ipsec ah/transport//require;
root@router1:~# 

root@router2:~# cat linux-linux.setkey
#!/usr/sbin/setkey -f

# Router1 is fe80::a00:27ff:fe7e:8d0f
# Router2 is fe80::a00:27ff:feb4:ce0d

flush;
spdflush;

add -6 fe80::a00:27ff:fe7e:8d0f ff02::5 ah 0x10001 -A hmac-sha1 "ospfv3 shared secret";
add -6 fe80::a00:27ff:feb4:ce0d ff02::5 ah 0x10002 -A hmac-sha1 "ospfv3 shared secret";

add -6 fe80::a00:27ff:feb4:ce0d fe80::a00:27ff:fe7e:8d0f ah 0x20001 -A hmac-sha1 "ospfv3 shared secret";
add -6 fe80::a00:27ff:fe7e:8d0f fe80::a00:27ff:feb4:ce0d ah 0x20001 -A hmac-sha1 "ospfv3 shared secret";

spdadd ::/0 ::/0 ospf -P out ipsec ah/transport//require;
spdadd ::/0 ::/0 ospf -P in ipsec ah/transport//require;
root@router2:~#

The four ‘add’ lines create the four security associations. The first two allow for packets sent from eth1′s link-locak address on each router to ff02::5, which is the “All OSPFv3 Routers” link-local reserved multicast address. The second pair allow for AH-protected direct communication between the two routers. The ‘spdadd’ lines configure the network stack to require AH authentication for all inbound and outbound OSPF traffic.

After loading the setkey script, the security association database can be viewed by running ‘setkey -D’:

root@router1:~# ./linux-linux.setkey
root@router1:~# setkey -D
fe80::a00:27ff:fe7e:8d0f fe80::a00:27ff:feb4:ce0d
        ah mode=transport spi=131073(0x00020001) reqid=0(0x00000000)
        A: hmac-sha1  6f737066 76332073 68617265 64207365 63726574
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Apr 16 11:04:56 2010   current: Apr 16 11:04:58 2010
        diff: 2(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=2511 refcnt=0
fe80::a00:27ff:feb4:ce0d fe80::a00:27ff:fe7e:8d0f
        ah mode=transport spi=131073(0x00020001) reqid=0(0x00000000)
        A: hmac-sha1  6f737066 76332073 68617265 64207365 63726574
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Apr 16 11:04:56 2010   current: Apr 16 11:04:58 2010
        diff: 2(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=2 pid=2511 refcnt=0
fe80::a00:27ff:feb4:ce0d ff02::5
        ah mode=transport spi=65538(0x00010002) reqid=0(0x00000000)
        A: hmac-sha1  6f737066 76332073 68617265 64207365 63726574
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Apr 16 11:04:56 2010   current: Apr 16 11:04:58 2010
        diff: 2(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=3 pid=2511 refcnt=0
fe80::a00:27ff:fe7e:8d0f ff02::5
        ah mode=transport spi=65537(0x00010001) reqid=0(0x00000000)
        A: hmac-sha1  6f737066 76332073 68617265 64207365 63726574
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Apr 16 11:04:56 2010   current: Apr 16 11:04:58 2010
        diff: 2(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=2511 refcnt=0
root@router1:~#

Restart Quagga (assuming it’s not already running), and the adjacency will appear in the list as before:

root@router1:~# /etc/init.d/quagga start
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra ospf6d.
root@router1:~#

root@router2:~# /etc/init.d/quagga start
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra ospf6d.
root@router2:~#

root@router1:~# VTYSH_PAGER=cat vtysh
Hello, this is Quagga (version 0.99.13).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
router1# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.31.250.61     1    00:00:30   Init/DROther         00:00:09 eth1[Waiting]
router1# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.31.250.61     1    00:00:36   Full/DR              00:00:04 eth1[BDR]
router1# exit
root@router1:~#

root@router1:~# ip -6 route
2002:f0f0:f0f0:1001::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
2002:f0f0:f0f0:1002::/64 via fe80::a00:27ff:feb4:ce0d dev eth1  proto zebra  metric 1  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
root@router1:~#

This time, however, tcpdump shows that the traffic between the routers has the AH header attached, with a cryptographic signature verifying the identity of the neighbour router:

root@router1:~# tcpdump -ni eth1 ip6 protochain ospf
Warning: Kernel filter failed: Invalid argument
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:15:02.997348 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x1): OSPFv3, Hello, length 36
11:15:04.701022 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x1): OSPFv3, Hello, length 36
11:15:13.001028 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x2): OSPFv3, Hello, length 40
11:15:14.706083 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x2): OSPFv3, Hello, length 40
11:15:23.011476 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x3): OSPFv3, Hello, length 40
11:15:24.711929 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x3): OSPFv3, Hello, length 40
11:15:33.021316 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x4): OSPFv3, Hello, length 40
11:15:34.716145 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x4): OSPFv3, Hello, length 40
11:15:43.012602 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x1): OSPFv3, Database Description, length 28
11:15:43.025608 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x5): OSPFv3, Hello, length 40
11:15:44.704244 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: AH(spi=0x00020001,seq=0x1): OSPFv3, Database Description, length 28
11:15:44.704499 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x2): OSPFv3, Database Description, length 68
11:15:44.705260 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: AH(spi=0x00020001,seq=0x2): OSPFv3, LS-Request, length 40
11:15:44.705281 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: AH(spi=0x00020001,seq=0x3): OSPFv3, Database Description, length 68
11:15:44.705406 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x3): OSPFv3, LS-Update, length 100
11:15:44.705472 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x4): OSPFv3, LS-Request, length 40
11:15:44.705510 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x5): OSPFv3, Database Description, length 28
11:15:44.706691 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: AH(spi=0x00020001,seq=0x4): OSPFv3, LS-Update, length 100
11:15:44.706716 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x5): OSPFv3, LS-Update, length 92
11:15:44.716271 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x6): OSPFv3, Hello, length 40
11:15:47.712150 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x6): OSPFv3, LS-Ack, length 96
11:15:47.712389 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x7): OSPFv3, LS-Ack, length 56
11:15:49.711795 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x6): OSPFv3, LS-Update, length 60
11:15:52.716154 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x8): OSPFv3, LS-Ack, length 36
11:15:53.025925 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x7): OSPFv3, Hello, length 40
11:15:54.722931 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x9): OSPFv3, Hello, length 40
11:16:03.032684 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x8): OSPFv3, Hello, length 40
11:16:04.726516 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0xa): OSPFv3, Hello, length 40
11:16:13.041695 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x9): OSPFv3, Hello, length 40
11:16:14.732027 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0xb): OSPFv3, Hello, length 40
^C
30 packets captured
42 packets received by filter
0 packets dropped by kernel
root@router1:~#

This entry was posted on Friday, April 16th, 2010 and is filed under Uncategorized. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

linux.gen.nz

Using IPSec to authenticate IPv6 OSPF under Linux

Recent Posts

Archives

Meta

Recent Comments

April 2010
M	T	W	T	F	S	S
« Oct				Jun »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30