IPv6 OSPFv3 ESP Packets and Decrypting With Wireshark

25 October 2011 by 3 Comments

I am working on IPv6. While doing OSPFv3, I get to the encryption option, covered in a relative easy to read and informative RFC 4552. So now it is configured and I think to myself, this is great – now my routing protocol is secure on the wire. But hey, what if I need to see what is going on my network? What do I get to see now that it is encrypted?

Doing a capture with Wireshark, this is what I got to see:

Great – so now what? I have ESP packets in this capture.  I see some are destined to FF02::5 (AllSPFRouters), and the others are between my R1 and R2 link-local addresses.  This is a lab with only 2 routers running OSPFv3, so this has got to be OSPFv3. But I want to see the OSPFv3, and I do not want to turn off the encryption on my router interfaces.

I did a little searching and found out that Wireshark has a dissector built-in to decrypt ESP if you have the keys.  I also found this awesome write up at Cisco Learningnetwork about using Wireshark and finding the “keys” to use to decrypt the ESP tunnel.  Wireshark covers this on their site as well. I found that other platforms have this capability to get the “keys” that are active so you can decode them as well, such as Linux ‘ip xfrm state’.

But what I am going to show with OSPFv3 is way easier, because we already have the “keys” to our kingdom. Why? We created them on the router when we configured the encryption ‘ipv6 ospf encryption ipsec spi 256 esp 3des 24E692732D80FAC4F6DC2B9ABFB73678EF660BAB12345678 sha1 24E692732D80FAC4F6DC2B9ABFB73678EF660BAB’.

Let’s walk through a few steps to setup Wireshark to decode the ESP packets.

 First, go to Edit > Preferences

Second, find ESP under +Protocols to add the SA information - IPv6|source|destination|SPI, Encryption and Authentication Algorithm keys from R1 and R2

And finally, the result is decoded OSPFv3 packets to look at.

The configurations of R1 and R2

hostname R1
interface FastEthernet0/0
mac-address 0011.1111.1111
ipv6 address 2001:DB8:1212::1/64
ipv6 ospf 1 area 0
ipv6 ospf encryption ipsec spi 256 esp 3des 24E692732D80FAC4F6DC2B9ABFB73678EF660BAB12345678 sha1 24E692732D80FAC4F6DC2B9ABFB73678EF660BAB

hostname R2
interface FastEthernet0/0
mac-address 0022.2222.2222
ipv6 address 2001:DB8:1212::2/64
ipv6 ospf 1 area 0
ipv6 ospf encryption ipsec spi 256 esp 3des 24E692732D80FAC4F6DC2B9ABFB73678EF660BAB12345678 sha1 24E692732D80FAC4F6DC2B9ABFB73678EF660BAB

Packet Capture at Cloudshark

WRAP UP

So with IPv6 and the built-in IPSEC support, this is going to be great for security.  But with all the transport IPSEC that is going to be floating around on the wire, it’s going to be different then the days of IPv4 when most everything was in clear text on the wire to view at will with Wireshark. Something to get used to.

Filed Under: Blogs, IPv6, Routing, Security Tagged With: , , , , ,
About Garry Baker

"Keep it simple. When in doubt during design, choose the simplest
solution." - RFC1958 On Twitter @networkdongle

  • http://twitter.com/cloudtoad Derick Winkworth

    This… is…. awesome!

  • Cjinfantino

    Great post, i had no idea you could do that with wireshark. It looks like you need to input each key from each router, if that is true how does this scale? What if we wanted to look at a large network with dozens of routers? Just a thought, I may be missing something.

    • http://www.facebook.com/coded32 Shritam Bhowmick

      I already did this with debugging the coredumps in the DRAM and then calculation the probable density of the bytes in it and manipulating them with how many left shifts, the original bytecode appears and that way I find the IPsec headers and the authentication info.