We also could authenticate routers which attempt to exchange routes over the network by simply using several authentication methods. In general we have 3 OSPF authentication methods:
A – NULL: as we performed the OSPF configuration in the latter pages we didn’t use any sort of authentication in case we don’t use authentication in order to exchange routes the OSPF protocol uses a default value of null for our authentication whereas routes from any router in the network are accepted this type of authentication is called NULL authentication and is insecure.
B – CLEAR TEXT | SIMPLE PASSWORD: the second authentication method which is further more secure than the previous one is called the plain-text password authentication method this model of authentication uses simple password with a maximum number of 8 characters to authenticate the routes exchanged among ospf routers in a network, although using a password (sent over the network in clear text) in order to authenticate exchanged routes between routers is more secure than not using any kind of authentication it still makes the network vulnerable to passive attacks where an intruder would be able to use a link analyzer such as wireshark and get his hands on the password, normally plain-text authentication is used for router reconfiguration and not for secure authentication purposes.
Let’s see how we can configure the network with plain-text authentication Each area should be configured with a unique authentication method as well as a unique password since we only have one area which is the 0.0.0.0 area we would be configuring the type of authentication on this area.
Before configuring the R1 interfaces with OSPF authentication lets take a look at its routing table.
vyatta@r1:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.10.0/24 [110/10] is directly connected, eth0, 00:41:28 C>* 10.10.10.0/24 is directly connected, eth0 O>* 20.20.20.0/24 [110/20] via 10.10.10.2, eth0, 00:41:28 * via 10.10.10.3, eth0, 00:41:28 C>* 127.1.1.0/24 is directly connected, lo O>* 127.2.2.2/32 [110/20] via 10.10.10.2, eth0, 00:41:28 O>* 127.3.3.3/32 [110/20] via 10.10.10.3, eth0, 00:41:28 O>* 127.4.4.4/32 [110/30] via 10.10.10.2, eth0, 00:22:22 * via 10.10.10.3, eth0, 00:22:22
Well as you see all of the routes from the previous section still remain in our routing table now let’s go ahead and configure our router with OSPF authentication First of all we have to set the area to use a specific method of authentication .
vyatta@r1# set protocols ospf area 0.0.0.0 authentication plaintext-password
and the interfaces.
vyatta@r1# set interfaces loopback lo ip ospf authentication plaintext-password NEWPASS vyatta@r1# set interfaces ethernet eth0 ip ospf authentication plaintext-password NEWPASS
Now let’s take a look at the routing table:
vyatta@r1:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.10.0/24 [110/10] is directly connected, eth0, 00:12:21 C>* 10.10.10.0/24 is directly connected, eth0 C>* 127.1.1.0/24 is directly connected, lo
As you see we no longer have the ospf routes we used to have in our routing table, since we have configured the area 0.0.0.0 with the plain-text password authentication we would only be receiving routes from neighbors which authenticate to us, at this point if you run the “show ip ospf neighbors” command no results would be shown. Let’s move a step further and configure R2 interfaces with the authentication method we set for the area 0.0.0.0.
vyatta@r1# set protocols ospf area 0.0.0.0 authentication plaintext-password vyatta@r1# set interfaces loopback lo ip ospf authentication plaintext-password NEWPASS vyatta@r1# set interfaces ethernet eth0 ip ospf authentication plaintext-password NEWPASS vyatta@r1# set interfaces ethernet eth1 ip ospf authentication plaintext-password NEWPASS
Now let's take a look at the routing tables:
vyatta@r1:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.10.0/24 [110/10] is directly connected, eth0, 03:13:56 C>* 10.10.10.0/24 is directly connected, eth0 O>* 20.20.20.0/24 [110/20] via 10.10.10.2, eth0, 03:01:51 C>* 127.1.1.0/24 is directly connected, lo O>* 127.2.2.2/32 [110/20] via 10.10.10.2, eth0, 03:01:51
vyatta@r2:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.10.0/24 [110/10] is directly connected, eth0, 03:13:30 C>* 10.10.10.0/24 is directly connected, eth0 O 20.20.20.0/24 [110/10] is directly connected, eth1, 03:13:30 C>* 20.20.20.0/24 is directly connected, eth1 O>* 127.1.1.1/32 [110/20] via 10.10.10.1, eth0, 03:01:41 C>* 127.2.2.0/24 is directly connected, lo
Now lets look at the neighbors on each router:
vyatta@r2:~$ show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 127.1.1.1 1 Full/DR 33.303s 10.10.10.1 eth0:10.10.10.2 0 0 0
vyatta@r1:~$ show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 127.2.2.2 1 Full/Backup 30.814s 10.10.10.2 eth0:10.10.10.1 0 0 0
vyatta@r3:~$ show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 127.4.4.4 1 Full/DR 35.984s 20.20.20.4 eth1:20.20.20.3 0 0 0
vyatta@r4:~$ show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 127.3.3.3 1 Full/Backup 30.365s 20.20.20.3 eth0:20.20.20.4 0 0 0a
Let’s configure R3 with OSPF authentication
vyatta@r1# set protocols ospf area 0.0.0.0 authentication plaintext-password vyatta@r3# set interfaces loopback lo ip ospf authentication plaintext-password NEWPASS vyatta@r3# set interfaces ethernet eth0 ip ospf authentication plaintext-password NEWPASS vyatta@r3# set interfaces ethernet eth1 ip ospf authentication plaintext-password NEWPASS
Lets take a look at routing table on R1 and neighbors on R3
vyatta@r1:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.10.0/24 [110/10] is directly connected, eth0, 03:35:49 C>* 10.10.10.0/24 is directly connected, eth0 O>* 20.20.20.0/24 [110/20] via 10.10.10.2, eth0, 00:05:33 * via 10.10.10.3, eth0, 00:05:33 C>* 127.1.1.0/24 is directly connected, lo O>* 127.2.2.2/32 [110/20] via 10.10.10.2, eth0, 00:06:05 O>* 127.3.3.3/32 [110/20] via 10.10.10.3, eth0, 00:06:05
vyatta@r3:~$ show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 127.1.1.1 1 Full/DROther 30.252s 10.10.10.1 eth0:10.10.10.3 0 0 0 127.2.2.2 1 Full/Backup 31.860s 10.10.10.2 eth0:10.10.10.3 0 0 0 127.2.2.2 1 Full/DR 33.191s 20.20.20.2 eth1:20.20.20.3 0 0 0
And finally configuring R4 with the OSPF authentication would lead to the same results we had in the previous part and we would have an area authenticated by the Plain-text password “NEWPASS”.
vyatta@r3:~$ show ip ospf OSPF Routing Process, Router ID: 127.3.3.3 Supports only single TOS (TOS0) routes This implementation conforms to RFC2328 RFC1583Compatibility flag is disabled OpaqueCapability flag is disabled Initial SPF scheduling delay 200 millisec(s) Minimum hold time between consecutive SPFs 1000 millisec(s) Maximum hold time between consecutive SPFs 10000 millisec(s) Hold time multiplier is currently 1 SPF algorithm last executed 14m45s ago SPF timer is inactive Refresh timer 10 secs Number of external LSA 0. Checksum Sum 0x00000000 Number of opaque AS LSA 0. Checksum Sum 0x00000000 Number of areas attached to this router: 1 Adjacency changes are logged
Area ID: 0.0.0.0 (Backbone) Number of interfaces in this area: Total: 3, Active: 3 Number of fully adjacent neighbors in this area: 3 Area has simple password authentication SPF algorithm executed 17 times Number of LSA 7 Number of router LSA 4. Checksum Sum 0x00014184 Number of network LSA 3. Checksum Sum 0x0001db39 Number of summary LSA 0. Checksum Sum 0x00000000 Number of ASBR summary LSA 0. Checksum Sum 0x00000000 Number of NSSA LSA 0. Checksum Sum 0x00000000 Number of opaque link LSA 0. Checksum Sum 0x00000000 Number of opaque area LSA 0. Checksum Sum 0x00000000
C – MD5 Authentication: Message digest authentication is one of the most widely used cryptographic hash functions as described in RFC1321 the algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. In order to configure MD5 authentication follow as below
vyatta@r1# set protocols ospf area 0.0.0.0 authentication md5 vyatta@r1# set interfaces loopback lo ip ospf authentication md5 key-id 1 md5-key NEWPASSMD5 vyatta@r1# set interfaces ethernet eth0 ip ospf authentication md5 key-id 1 md5-key NEWPASSMD5
Key-id: Key used to identify the password. The range of values is 1 to 255. All interfaces attached to a common network must use the same key and password. Password: Password to be used for authentication on the interface. The password is an alphanumeric string from 1 to 16 characters.
vyatta@r1:~$ show ip ospf OSPF Routing Process, Router ID: 127.1.1.1 Supports only single TOS (TOS0) routes This implementation conforms to RFC2328 RFC1583Compatibility flag is disabled OpaqueCapability flag is disabled Initial SPF scheduling delay 200 millisec(s) Minimum hold time between consecutive SPFs 1000 millisec(s) Maximum hold time between consecutive SPFs 10000 millisec(s) Hold time multiplier is currently 1 SPF algorithm last executed 2h24m31s ago SPF timer is inactive Refresh timer 10 secs Number of external LSA 0. Checksum Sum 0x00000000 Number of opaque AS LSA 0. Checksum Sum 0x00000000 Number of areas attached to this router: 1 Adjacency changes are logged
Area ID: 0.0.0.0 (Backbone) Number of interfaces in this area: Total: 2, Active: 2 Number of fully adjacent neighbors in this area: 2 Area has message digest authentication SPF algorithm executed 18 times Number of LSA 5 Number of router LSA 3. Checksum Sum 0x0001f8b7 Number of network LSA 2. Checksum Sum 0x0001375f Number of summary LSA 0. Checksum Sum 0x00000000 Number of ASBR summary LSA 0. Checksum Sum 0x00000000 Number of NSSA LSA 0. Checksum Sum 0x00000000 Number of opaque link LSA 0. Checksum Sum 0x00000000 Number of opaque area LSA 0. Checksum Sum 0x00000000
CONTINUE TO PART 5 - OSPF AREAS & ABR's |
|