OSPFv3 authentication requires IPv6 IPsec and supports the following:
IPsec transport mode
AH and ESP
manual keyed IPsec Security Association (SA)
authentication Algorithms MD5 and SHA1
To pass OSPFv3 authentication, OSPFv3 peers must have matching inbound and outbound SAs configured using the same SA parameters (SPI, keys, and so on). The implementation must allow the use of one SA for both inbound and outbound directions.
This feature is supported on IES and VPRN interfaces as well as on virtual links.
The re-keying procedure defined in RFC 4552,Authentication/Confidentiality for OSPFv3, supports the following.
For every router on the link, create an additional inbound SA for the interface being re-keyed using a new SPI and the new key.
For every router on the link, replace the original outbound SA with one using the new SPI and key values. The SA replacement operation should be atomic with respect to sending OSPFv3 packet on the link so that no OSPFv3 packets are sent without authentication or encryption.
For every router on the link, remove the original inbound SA.
The key rollover procedure automatically starts when the operator changes the configuration of the inbound static-sa or bidirectional static-sa under an interface or virtual link. Within the KeyRolloverInterval time period, OSPF3 accepts packets with both the previous inbound static-sa and the new inbound static-sa, and the previous outbound static-sa should continue to be used. When the timer expires, OSPF3 only accepts packets with the new inbound static-sa and for outgoing OSPF3 packets, the new outbound static-sa is used instead.