FIRST KNOW WHAT OSPF IS - OPEN SHORTEST PATH FIRST (OSPF) is an adaptive routing protocol for Internet Protocol (IP) networks. It uses a link state routing algorithm and falls into the group of interior routing protocols, operating within a single autonomous system (AS). It is defined as OSPF Version 2 in RFC 2328 (1998) for IPv4.[1] The updates for IPv6 are specified as OSPF Version 3 in RFC 5340 (2008).[2]
OSPF is perhaps the most widely-used interior gateway protocol (IGP) in large enterprise networks. IS-IS, another link-state routing protocol, is more common in large service provider networks. The most widely-used exterior gateway protocol is the Border Gateway Protocol (BGP ), the principal routing protocol between autonomous systems on the Internet..
TO UNDERSTAND OSPF AUTHENTICATION:
Introduction:
This document shows sample configurations for Open Shortest Path First (OSPF) authentication which allows the flexibility to authenticate OSPF neighbors.
Authentication is OSPF allows for the configuration of a password for a specific area. Routers that want to become neighbors have to exchange the same password on a particular segment.
It is possible to authenticate the OSPF packets such that routers can participate in routing domains based on predefined passwords.
By default, a router uses a Null authentication which means that routing exchanges over a network are not authenticated.
Routing protocols are used to exchange reachability information between routers. Routing information learned from peers is used to determine the next hop towards the destination. To route traffic correctly, it is necessary to prevent malicious or incorrect routing information from getting introduced into the routing table. This can be done by authenticating the routing updates exchanged between routers. Open Shortest Path First (OSPF) supports plain text authentication and Message Digest 5 (MD5) Authentication.
You can enable authentication in OSPF in order to exchange routing update information in a secure manner. OSPF authentication can either be none (or null), simple, or MD5.
The authentication method "none" means that no authentication is used for OSPF and it is the default method. With simple authentication, the password goes in clear-text over the network.
With MD5 authentication, the password does not pass over the network. MD5 is a message-digest algorithm specified in RFC 1321. MD5 is considered the most secure OSPF authentication mode.
SO WE COME TO SEE OSPF AUTHENTICATION:
An OSPF Authentication to improve network reliability and security. Let’s take the case where a corporate partner needs a connection into your network and due to a configuration error within your network, the interface connecting to that router is set to run OSPF. Matching only a couple of incidental parameters would allow that router to inject routing information into your network. Since many sites use private addresses internally, the chances of an overlap of some subnets is pretty high, potentially creating what looks like a routing black hole (the packets for your subnet are routed to the corporate partner’s router).
When you configure authentication, you must configure an entire area with the same type of authentication. Starting with Cisco IOS® Software Release 12.0(8),
TYPE OF OSPF AUTHENTICATION:
THESE ARE THE THREE DIFFERENT TYPES OF AUTHENTICATION SUPPORTED BY OSPF.
- Null Authentication— > This is also called Type 0 and it means no authentication information is included in the packet header. It is the default.
- Plain Text Authentication— > This is also called Type 1 and it uses simple clear-text passwords.
- MD5 Authentication— > This is also called Type 2 and it uses MD5 cryptographic passwords.
SYNTAX DESCRIPTION:
· key-id— Key used to identify the password. Range of values is 1 to 255. Both ends of a link must use the same key and password.
· password— Password to be used for authentication in the selected area on the selected interface. The password is an alphanumeric string from 1 to 8 characters.
To configure OSPF plain text authentication, specify the plain text password to be used for authentication on an interface, and enable authentication for the OSPF area. To assign a password to be used by neighboring routers using the OSPF plain text password authentication, issue the ip ospf authentication-key command in interface configuration mode.
To enable authentication for an OSPF area, issue the area authentication command in router configuration mode.
Authentication does not need to be set. However, if it is set, all peer routers on the same segment must have the same password and authentication method. The examples in this document demonstrate configurations for both plain text and MD5 authentication.
To configure OSPF MD5 authentication, specify a password to be used for authentication on an interface , and enable MD5 authentication for the area. To enable OSPF MD5 authentication and to specify the password to be used by neighboring routers to authenticate to each other, issue the ip ospf message-digest-key command in interface configuration mode. To enable MD5 authentication for an OSPF area, issue the area authentication command with the message-digest keyword in router configuration mode.
NULL AUTHENTICATION:
NULL AUTHENTICATION, OR TYPE ZERO, is the default authentication condition for OSPF. When the traffic does not contain any special information, use this method. There is no authentication involved here, so the traffic is wide open.
In Cisco IOS Software Release 12.0 and later, if authentication is not required on an interface, NULL authentication can be employed to override the authentication that has been con-figured for the area.
EXAMPLE FOR NULL AUTHENTICATION:
Router A
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
ip ospf authentication-key Prem
interface Serial0/1
ip address 10.1.1.1 255.255.255.252
ip ospf authentication null
clockrate 64000
router ospf 1
area 0 authentication
network 1.1.1.1 0.0.0.0 area 1
network 10.1.1.0 0.0.0.3 area 0
network 172.16.1.0 0.0.0.255 area 0
_________________________________________________________________
Router B
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Ethernet0
ip add 172.16.1.2 255.255.255.0
ip ospf authentication-key laura
interface Serial0
ip address 10.1.1.2 255.255.255.252
ip ospf authentication null
router ospf 1
area 0 authentication
network 2.2.2.2 0.0.0.0 area 2
network 10.1.1.0 0.0.0.3 area 0
network 172.16.1.0 0.0.0.255 area 0
VERIFICATION:
Verify that routers a and b have formed full ospf neighbor relationships over the ethernet and serial networks.
rtrA#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL /DR 00:00:31 172.16.1.2 Ethernet0/0
2.2.2.2 1 FULL / - 00:00:35 10.1.1.2 Serial0/1
PLAIN TEXT AUTHENTICATION:
PLAIN TEXT AUTHENTICATION IS USED WHEN DEVICES WITHIN AN AREA CANNOT SUPPORT THE MORE SECURE MD5 AUTHENTICATION. PLAIN TEXT AUTHENTICATION LEAVES THE INTERNET WORK VULNERABLE TO A "SNIFFER ATTACK," IN WHICH PACKETS ARE CAPTURED BY A PROTOCOL ANALYZER AND THE PASSWORDS CAN BE READ.
HOWEVER, IT IS USEFUL WHEN YOU PERFORM OSPF RECONFIGURATION, RATHER THAN FOR SECURITY.
FOR EXAMPLE:
SEPARATE PASSWORDS CAN BE USED ON OLDER AND NEWER OSPF ROUTERS THAT SHARE A COMMON BROADCAST NETWORK TO PREVENT THEM FROM TALKING TO EACH OTHER. PLAIN TEXT AUTHENTICATION PASSWORDS DO NOT HAVE TO BE THE SAME THROUGHOUT AN AREA, BUT THEY MUST BE THE SAME BETWEEN NEIGHBORS.
SIMPLE PASSWORD AUTHENTICATION:
Simple password authentication allows a password (key) to be configured per area. Routers in the same area that want to participate in the routing domain will have to be configured with the same key. The drawback of this method is that it is vulnerable to passive attacks. Anybody with a link analyzer could easily get the password off the wire. To enable password authentication use the following commands:
· ip ospf authentication-key key (this goes under the specific interface)
· area area-id authentication (this goes under "router ospf <process-id>")
ASSIGNS THE PASSWORD USED FOR SIMPLE AUTHENTICATION ON THIS INTERFACE
Syntax: ip ospf authentication-key key
no ip ospf authentication-key
key
|
Character string of up to eight characters.
|
VERIFY PLAIN TEXT AUTHENTICATION:
Use the show ip ospf interface command to view the authentication type configured for an interface.
With simple password authentication, each router must first be configured with the passwords of each of its attached networks before it can participate in routing with those networks.
When simple authentication is configured, a 64-bit field is configured for each network. All packets sent on that network must have this value in the header of their OSPF packets. In addition, the contents of each OSPF packet are checksummed to detect corruption.
Use the ip ospf authentication-key key command to assign the authentication password for this interface.
Use the no ip ospf authentication-key command to delete the authentication key.
Factory default: no authentication key configured.
TROUBLESHOOT PLAIN TEXT AUTHENTICATION:
The deb ip ospf adj output for ROUTER shows when plain text authentication is successful.
ROUTER# debug ip ospf adj
Command mode: interface configuration:
IN THE FOLLOWING EXAMPLE:
- The router ospf command enables OSPF and specifies an OSPF process number
- The network area command enables OSPF on the specified network and assigns the network an OSPF area ID of 1
- The area area-id authentication command enables authentication for area 1
- The interface pos command specifies an interface and changes the command mode to Interface configuration
- The ip ospf authentication-key key command enables simple authentication and sets the password for the specified interface:
Router(config)#router ospf 13
Router(config-router)#network 10.1.1.0 0.0.0.255 area 1
Router(config-router)#area 1 authentication
Router(config-router)#interface pos 1/1/1
Router(config-if)#ip ospf authentication-key Prem
Router(config-router)#network 10.1.1.0 0.0.0.255 area 1
Router(config-router)#area 1 authentication
Router(config-router)#interface pos 1/1/1
Router(config-if)#ip ospf authentication-key Prem
EXAMPLE:
interface Ethernet0
ip address 10.10.10.10 255.255.255.0
ip ospf authentication-key mypassword
router ospf 10
network 10.10.0.0 0.0.255.255 area 0
area 0 authentication
SIMPLE EXAMPLE FOR PASSWORD AUTHENTICATION:
Router A
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
interface Serial0/1
ip address 10.1.1.1 255.255.255.252
clockrate 64000
router ospf 1
network 10.1.1.0 0.0.0.3 area 0
network 172.16.1.0 0.0.0.255 area 0
network 1.1.1.1 0.0.0.0 area 1
________________________________________________________________
Router B
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Ethernet0
ip address 172.16.1.2 255.255.255.0
interface Serial0
ip address 10.1.1.2 255.255.255.252
router ospf 1
network 10.1.1.0 0.0.0.3 area 0
network 172.16.1.0 0.0.0.255 area 0
network 2.2.2.2 0.0.0.0 area 2
VERIFY THAT ROUTERS A AND B HAVE ESTABLISHED A FULL OSPF NEIGHBOR RELATIONSHIP OVER THE SERIAL AND ETHERNET NETWORKS.
Router A#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL /BDR 00:00:32 172.16.1.2 Ethernet0/0
2.2.2.2 1 FULL / - 00:00:35 10.1.1.2 Serial0/1
Verify that authentication is not being used in Area 0.
Router A#show ip ospf
Routing Process "ospf 1" with ID 1.1.1.1
Supports only single TOS (TOS 0) routes
It is an area border router
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x0
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Area BACKBONE(0)
Number of interfaces in this area is 2
Area has no authentication
SPF algorithm executed 8 times
Area ranges are
Number of LSA 5. Checksum Sum 0x23C8C
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Area 1
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 5 times
Area ranges are
Number of LSA 4. Checksum Sum 0x22672
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
MODIFY THE CONFIGURATIONS ON ROUTERS A AND B SO THAT SIMPLE PASSWORD AUTHENTICATION IS USED ON THE ETHERNET NETWORK. USE THE CLEAR-TEXT PASSWORD Prem.
Router A
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
ip ospf authentication
ip ospf authentication-key Prem
_________________________________________________________________
Router B
interface Ethernet0
ip address 172.16.1.2 255.255.255.0
ip ospf authentication
ip ospf authentication-key Prem
VERIFICATION:
VERIFY THAT ROUTERS A AND B HAVE A FULL OSPF NEIGHBOR RELATIONSHIP OVER BOTH THE SERIAL AND ETHERNET NETWORKS.
Router B#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL /BDR 00:00:36 172.16.1.1 Ethernet0
1.1.1.1 1 FULL / - 00:00:30 10.1.1.1 Serial0
MESSAGE DIGEST AUTHENTICATION (MD5):
MD5 authentication provides higher security than plain text authentication. This method uses the MD5 algorithm to compute a hash value from the contents of the OSPF packet and a password (or key). This hash value is transmitted in the packet, along with a key ID and a non-decreasing sequence number. The receiver, which knows the same password, calculates its own hash value. If nothing in the message changes, the hash value of the receiver should match the hash value of the sender which is transmitted with the message.
MD5 is a type two OSPF authentication level. Network managers can create a high level of security for OSPF traffic using MD5. It is the most secure OSPF authentication method available today. It works by having the contents of a message computed to give a hash value (a one-time number with 128 bits).
MD5 is a cryptographic authentication. A key (password) and key-id are configured on each router. The router uses an algorithm based on the OSPF packet, the key, and the key-id to generate a "message digest" that gets appended to the packet. Unlike the simple authentication, the key is not exchanged over the wire. A non-decreasing sequence number is also included in each OSPF packet to protect against replay attacks.
The key ID allows the routers to reference multiple passwords. This makes password migration easier and more secure. For example, to migrate from one password to another, configure a password under a different key ID and remove the first key.
The sequence number prevents replay attacks, in which OSPF packets are captured, modified, and retransmitted to a router. As with plain text authentication, MD5 authentication passwords do not have to be the same throughout an area. However, they do need to be the same between neighbors.
Note:
Cisco recommends that you configure the service password-encryption command on all of the routers. This causes the router to encrypt the passwords in any display of the configuration file and guards against the password being learned by observing the text copy of the configuration of the router.
This method also allows for uninterrupted transitions between keys.This is helpful for administrators who wish to change the OSPF password without disrupting communication. If an interface is configured with a new key, the router will send multiple copies of the same packet, each authenticated by different keys.
The router will stop sending duplicate packets once it detects that all of its neighbors have adopted the new key. Following are the commands used for message digest authentication:
· ip ospf message-digest-key keyid md5 key (used under the interface)
· area area-id authentication message-digest (used under "router ospf <process-id>")
HERE IS AN EXAMPLE:
interface Ethernet0
ip address 10.10.10.10 255.255.255.0
ip ospf message-digest-key 10 md5 mypassword
router ospf 10
network 10.10.0.0 0.0.255.255 area 0
area 0 authentication message-digest
VERIFY MD5 AUTHENTICATION:
Use the show ip ospf interface command to view the authentication type configured for an interface.
TROUBLESHOOT MD5 AUTHENTICATION:
This is the debug ip ospf adj command output for ROUTER when MD5 authentication is successful.
ROUTER# debug ip ospf adj
EXAMPLE FOR MD5 AUTHENTICATION:
This example is for one interface on one router at the same keyid and key (the number10 and the text password cisco in the third line) must exist on all interfaces of all routers.
To enable OSPF MD5 authentication, you need to define the encryption key, which is essentially just a password, on an interface. And you also must enable authentication for the entire area. For the first router, you could do this as follows:
Router1(config)#interface Serial0/1
Router1(config-if)#ip ospf message-digest-key 10 md5 Prem
Router1(config-if)#exit
Router1(config)#router ospf 10
Router1(config-router)#area 2 authentication message-digest
Router1(config-router)#exit
Router1(config)#end
Router1#
Similarly, you must enable OSPF authentication on other routers in the area, as well as making sure that the authentication keys match on all interfaces that share the same network segment:
THEN GO TO NEXT ROUTER 2:
Router2(config)#interface Serial0/0
Router2(config-if)#ip ospf message-digest-key 10 md5 Prem
Router2(config-if)#exit
Router2(config)#router ospf 11
Router2(config-router)#area 2 authentication message-digest
Router2(config-router)#exit
Router2(config)#end
Router2#
To verify that OSPF authentication is set on all router interfaces, you must check the configurations of each router.
FINALLY EXAMPLE FOR OSPF MD5 AUTHENTICATION:
MD5 authentication, you need to define the encryption key, which is essentially just a password, on an interface. And you also must enable authentication for the entire area. For the first router, you could do this as follows:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL /Z.
Router1(config)#interface Serial0/1
Router1(config-if)#ip ospf message-digest-key 1 md5 Prem
Router1(config-if)#exit
Router1(config)#router ospf 50
Router1(config-router)#area 2 authentication message-digest
Router1(config-router)#exit
Router1(config)#end
Router1#
Similarly, you must enable OSPF authentication on other routers in the area, as well as making sure that the authentication keys match on all interfaces that share the same network segment:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL /Z.
Router2(config)#interface Serial0/0
Router2(config-if)#ip ospf message-digest-key 1 md5 Prem
Router2(config-if)#exit
Router2(config)#router ospf 100
Router2(config-router)#area 2 authentication message-digest
Router2(config-router)#exit
Router2(config)#end
Router2#
Uses the open standard MD5 (Message Digest type 5) encryption standard. MD5 is a one-way not possible. Two devices exchange only the MD5-encrypted versions of the password. Both devices know the same password.
Each router is able to verify that the encrypted password that it receives is correct by using the same algorithm to encrypt
the password that it already knows.
To make sure that nobody can just intercept and use the encrypted version of the password directly, a time value that the receiving router also knows is added to the password before encrypting. Anybody else listening on the network is only able to see the encrypted version of the password, but they cannot deduce the original password.
Unfortunately, the RFC is not completely clear on how this time value should be added to the original pass phrase, nor does it mandate MD5 encryption. So there is a good chance that cryptographic authentication will not work well between routers from different vendors.
If you use authentication in an OSPF area, you must configure all of the routers in the area to support authentication. Every interface on a router doesn't have to be configured with authentication. But if you require authentication in any part of an area, you must include authentication support throughout the area. In the above example, this is done for area 2 with this command:
Router2(config-router)#area 2 authentication message-digest
Router2#show ip ospf interface Serial0/0
Serial0/0 is up, line protocol is up
Internet Address 10.1.1.1/30, Area 2
Process ID 100, Router ID 192.168.30.1, Network Type POINT_TO_POINT, Cost: 130
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.25.25.1
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Router2#
Notice that this also says that we are using specifically "Message digest authentication," meaning MD5, and it also indicates that key number 1 is currently active.
You can use a different key on each of a router's interfaces, or a single password throughout the entire network. All that matters is that the all of the routers on a single network segment use the same OSPF key for the interfaces that share this segment. The problem with using too many different keys is that it can become rather difficult to manage.
You can also configure several keys on a single interface. We recommend using this as a transition method while changing keys. The old keys should be removed quickly to prevent anybody from gaining access by using an old key:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL /Z.
Router2(config)#interface Serial0/0
Router2(config-if)#ip ospf message-digest-key 1 md5 Prem
Router2(config-if)#ip ospf message-digest-key 2 md5 Cisco
Router2(config-if)#exit
Router2(config)#end
Router2#
In this case, we have defined two keys, which have key numbers 1 and 2, respectively:
Router2#show ip ospf interface Serial0/0
Serial0/0 is up, line protocol is up
Internet Address 10.1.1.1/30, Area 2
Process ID 100, Router ID 192.168.30.1, Network Type POINT_TO_POINT, Cost: 130
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.25.25.1
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 1
Router2#
This display indicates that key number 2 is the newest, and that one neighbor is still using the old key. This command is useful when you want to see if it is safe to remove the old key yet.
Looking at the router's configuration file, you can see that these keys are stored in plain text by default:
interface Serial0/0
ip address 10.1.1.1 255.255.255.252
ip ospf message-digest-key 1 md5 Prem
ip ospf message-digest-key 2 md5 Cisco
If you define the password encryption service on the router, it will store these keys using the weak Cisco Type 7 encryption method:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL /Z.
Router2(config)#service password-encryption
Router2(config)#end
However, this encryption method is easily broken if somebody gains access to the router. It is still useful, though, to prevent somebody from getting the passwords by looking over your shoulder.
If you want to use authentication, but the neighboring devices don't support MD5, then you need to use clear text authentication, which you can configure as follows:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL /Z.
Router1(config)#interface Serial0/1
Router1(config-if)#ip ospf authentication-key Prem
Router1(config-if)#exit
Router1(config)#router ospf 50
Router1(config-router)#area 2 authentication
Router1(config-router)#exit
Router1(config)#end
Router1#
As with MD5 authentication, if you configure clear text authentication on an interface, you must configure the same authentication method and the same key on all other routers that share this segment:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL /Z.
Router2(config)#interface Serial0/0
Router2(config-if)#ip ospf authentication-key Prem
Router2(config-if)#exit
Router2(config)#router ospf 100
Router2(config-router)#area 2 authentication
Router2(config-router)#exit
Router2(config)#end
Router2#
Now the output of the show ip ospf interface command indicates the alternative authentication method:
Router2#show ip ospf interface Serial0/0
Serial0/0 is up, line protocol is up
Internet Address 10.1.1.1/30, Area 2
Process ID 100, Router ID 192.168.30.1, Network Type POINT_TO_POINT, Cost: 130
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.25.25.1
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
Router2#
Tip = > If You Need To Exchange Authenticated OSPF Routes With Non Cisco Routers, You May Be Forced To Use The Less Secure Simple Password Method.
No comments:
Post a Comment