Saturday, September 7, 2013

OSPF MD5 Authentification

Configure OSPF MD5 authentification


OSPF protocol relies on  the SPF algorhythm to calculate the changes in the LSA database, propagate LSA packets end form neighbor communication (as many other functions). OSPF is a great IGP in many scenarios, but the packets between the routers and firewalls can be intercepted and spoofed. This can be easily done , to mitigate a DDOS attack on a OSPF speaking router. 
I have configured two OSPF speaking routers to use the MD5 authentification in their backbone area. 


The basic configs to form the AREA 0 connectivity follows:

R1
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.252
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

R2
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.252
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

Now let us configure the MD5 Authentification on the Backbone Area. Notice that every router must use the MD5 encryption. If not that router cannot be apart of the Area 0.

R1
R1(config-router)#area 0 authentication message-digest
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf message-digest-key 1 md5 cisco

R2
R2(config-router)#area 0 authentication message-digest
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip ospf message-digest-key 1 md5 cisco


After entering the auth scripts the neighbors form a relationship once more.
%OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading

The last thing that is left is to verify that the OSPF Hello and Update packets are authentificated trough the proper interfaces. This can be done on both routers. 

R1#sh ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
  Internet Address 192.168.1.1/30, Area 0
  Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State BDR, Priority 1
  Designated Router (ID) 2.2.2.2, Interface address 192.168.1.2
  Backup Designated router (ID) 1.1.1.1, Interface address 192.168.1.1
  Flush timer for old DR LSA due in 00:01:02
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 2.2.2.2  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1

We can see that we have succesfull key exchange now. We can further debug the adjancacies between the routers using the debug ip ospf adj. This is very helpful to see if the OSPF speaking routers will not form the neighbor relationship again.

Fell free to comment.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)