Enabling OSPF Authentication

Problem

You want to ensure that all OSPF protocol traffic that your router accepts comes from devices known to you so that only trusted routers participate in determining the contents of the OSPF routing database.

Solution

You configure MD5 authentication for OSPF:

[edit protocols ospf area 0.0.0.0 ] aviva@RouterG# set authentication-type md5 aviva@RouterG# set interface fe-0/0/1 authentication md5 1 key $1991poPPi aviva@RouterG# set interface fe-1/0/1 authentication md5 1 key $1991poPPi aviva@RouterG# show authentication-type md5; interface fe-0/0/1.0 { authentication { md5 1 key "$9$dEbgoZUjqP5GUApO1hcgoaJHq"; ## SECRET-DATA } } interface fe-1/0/1.0 { authentication { md5 1 key "$9$dEbgoZUjqP5GUApO1hcgoaJHq"; ## SECRET-DATA } }

Discussion

It is a good security measure to authenticate OSPF protocol packet exchanges to ensure that only trusted routers participate in the OSPF network and in the exchange of Hello and LSA packets.

This recipe shows how to configure OSFP to use MD5 authentication. First, configure MD5 authentication for the entire area, then set the key, or password, for each interface. Each key has an identifier; here, it is 1. MD5 creates an encoded checksum that is included in all transmitted OSPF packets. The receiving router verifies this checksum before accepting the packet.

When you display the routers configuration after you have typed the password, you do not see the password itself, only the encrypted form of the password. Someone casually glancing through the configuration would not see the actual password.

You can also configure a simple password for OSPF authentication, which includes a plain-text password in the transmitted OSPF packets. Plain-text passwords are easy to break by devices that sniff network traffic, so you should never use them when your goal is network security.

For authentication to work across the entire OSPF domain, you need to configure MD5 authentication with the same key identifier and the same password on all OSPF interfaces, as shown in this recipe. Once you have the encrypted version of the password, you can use it in the authentication-key statement instead of the password itself. This is one way to minimize the number of people who see the actual password.

aviva@RouterG# set interface fe-1/0/1 authentication 1 key "$9$dEbgoZUjqP5GUApO1hcgoaJHq"

When you are looking at the configuration contents, pipe the output to hide the passwords:

[edit] aviva@RouterG# show protocols ospf | except SECRET-DATA area 0.0.0.0 { authentication-type md5; interface fe-0/0/1.0 { authentication { } } interface fe-1/0/1.0 { authentication { } } }

You can do the same thing in operational mode:

aviva@RouterG> show configuration protocols ospf | except SECRET-DATA area 0.0.0.0 { authentication-type md5; interface fe-0/0/1.0 { authentication { } } interface fe-1/0/1.0 { authentication { } } }

As part of your security measures, you may, from time to time, want to transition from using one MD5 key to another. You can do this by configuring multiple MD5 keys, each with a unique key ID, and setting the date and time to switch to the new key. Here, the new keys take effect at 12:01 a.m. on the first day of the month for the next several months:

[edit protocols ospf area 0.0.0.0 ] aviva@RouterG# set interface fe-0/0/1 authentication md5 1 key $1991poPPi aviva@RouterG# set interface fe-0/0/1 authentication md5 2 key NeWpsswdFEB start-time 2006-02-01.00:01 aviva@RouterG# set interface fe-0/0/1 authentication md5 3 key NeWpsswdMAR start-time 2006-03-01.00:01 aviva@RouterG# set interface fe-0/0/1 authentication md5 4key NeWpsswdAPR start-time 2006-04-01.00:01

The start time specifies the time at which the router starts using the MD5 key for transmission. When receiving packets, the router accepts packets with any MD5 key as long as the key ID specified in the packet corresponds to a currently configured key, regardless of the keys start time.

Use the show ospf interface detail command to see which key is currently active:

aviva@RouterG# run show ospf interface detail Interface State Area DR ID BDR ID Nb rs t1-0/2/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0 Type P2P, address 0.0.0.0, mask 0.0.0.0, MTU 1500, cost 2604 adj count 0 Hello 10, Dead 40, ReXmit 5, Not Stub Auth type MD5, Active key id 3, Start time 2002 Nov 19 10:00:00 PST t1-0/2/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0 Type P2P, address 192.168.37.16, mask 255.255.255.255, MTU 1500, cost 2604 adj count 0, Passive Hello 10, Dead 40, ReXmit 5, Not Stub Auth type MD5, Active key id 3, Start time 2006 Mar 1 00:01:00 PST

Категории