We also could authenticate routers which attempt to exchange routes over the network by simply using several authentication methods.
In general we have 3 OSPF authentication methods:
A – NULL: as we performed the OSPF configuration in the latter pages we didn’t use any sort of authentication in case we don’t use authentication in order to exchange routes the OSPF protocol uses a default value of null for our authentication whereas routes from any router in the network are accepted this type of authentication is called NULL authentication and is insecure.
B – CLEAR TEXT | SIMPLE PASSWORD: the second authentication method which is further more secure than the previous one is called the plain-text password authentication method this model of authentication uses simple password with a maximum number of 8 characters to authenticate the routes exchanged among ospf routers in a network, although using a password (sent over the network in clear text) in order to authenticate exchanged routes between routers is more secure than not using any kind of authentication it still makes the network vulnerable to passive attacks where an intruder would be able to use a link analyzer such as wireshark and get his hands on the password, normally plain-text authentication is used for router reconfiguration and not for secure authentication purposes.
Let’s see how we can configure the network with plain-text authentication
Each area should be configured with a unique authentication method as well as a unique password since we only have one area which is the 0.0.0.0 area we would be configuring the type of authentication on this area.
Before configuring the R1 interfaces with OSPF authentication lets take a look at its routing table.
vyatta@r1:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.10.0/24 [110/10] is directly connected, eth0, 00:41:28
C>* 10.10.10.0/24 is directly connected, eth0
O>* 20.20.20.0/24 [110/20] via 10.10.10.2, eth0, 00:41:28
* via 10.10.10.3, eth0, 00:41:28
C>* 127.1.1.0/24 is directly connected, lo
O>* 127.2.2.2/32 [110/20] via 10.10.10.2, eth0, 00:41:28
O>* 127.3.3.3/32 [110/20] via 10.10.10.3, eth0, 00:41:28
O>* 127.4.4.4/32 [110/30] via 10.10.10.2, eth0, 00:22:22
* via 10.10.10.3, eth0, 00:22:22
Well as you see all of the routes from the previous section still remain in our routing table now let’s go ahead and configure our router with OSPF authentication
First of all we have to set the area to use a specific method of authentication .
vyatta@r1# set protocols ospf area 0.0.0.0 authentication plaintext-password
and the interfaces.
vyatta@r1# set interfaces loopback lo ip ospf authentication plaintext-password NEWPASS
vyatta@r1# set interfaces ethernet eth0 ip ospf authentication plaintext-password NEWPASS
Now let’s take a look at the routing table:
vyatta@r1:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.10.0/24 [110/10] is directly connected, eth0, 00:12:21
C>* 10.10.10.0/24 is directly connected, eth0
C>* 127.1.1.0/24 is directly connected, lo
As you see we no longer have the ospf routes we used to have in our routing table, since we have configured the area 0.0.0.0 with the plain-text password authentication we would only be receiving routes from neighbors which authenticate to us, at this point if you run the “show ip ospf neighbors” command no results would be shown.
Let’s move a step further and configure R2 interfaces with the authentication method we set for the area 0.0.0.0.
vyatta@r1# set protocols ospf area 0.0.0.0 authentication plaintext-password
vyatta@r1# set interfaces loopback lo ip ospf authentication plaintext-password NEWPASS
vyatta@r1# set interfaces ethernet eth0 ip ospf authentication plaintext-password NEWPASS
vyatta@r1# set interfaces ethernet eth1 ip ospf authentication plaintext-password NEWPASS
Now let's take a look at the routing tables:
vyatta@r1:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.10.0/24 [110/10] is directly connected, eth0, 03:13:56
C>* 10.10.10.0/24 is directly connected, eth0
O>* 20.20.20.0/24 [110/20] via 10.10.10.2, eth0, 03:01:51
C>* 127.1.1.0/24 is directly connected, lo
O>* 127.2.2.2/32 [110/20] via 10.10.10.2, eth0, 03:01:51
vyatta@r2:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.10.0/24 [110/10] is directly connected, eth0, 03:13:30
C>* 10.10.10.0/24 is directly connected, eth0
O 20.20.20.0/24 [110/10] is directly connected, eth1, 03:13:30
C>* 20.20.20.0/24 is directly connected, eth1
O>* 127.1.1.1/32 [110/20] via 10.10.10.1, eth0, 03:01:41
C>* 127.2.2.0/24 is directly connected, lo
Now lets look at the neighbors on each router:
vyatta@r2:~$ show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
127.1.1.1 1 Full/DR 33.303s 10.10.10.1 eth0:10.10.10.2 0 0 0
vyatta@r1:~$ show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
127.2.2.2 1 Full/Backup 30.814s 10.10.10.2 eth0:10.10.10.1 0 0 0
vyatta@r3:~$ show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
127.4.4.4 1 Full/DR 35.984s 20.20.20.4 eth1:20.20.20.3 0 0 0
vyatta@r4:~$ show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
127.3.3.3 1 Full/Backup 30.365s 20.20.20.3 eth0:20.20.20.4 0 0 0a
Let’s configure R3 with OSPF authentication
vyatta@r1# set protocols ospf area 0.0.0.0 authentication plaintext-password
vyatta@r3# set interfaces loopback lo ip ospf authentication plaintext-password NEWPASS
vyatta@r3# set interfaces ethernet eth0 ip ospf authentication plaintext-password NEWPASS
vyatta@r3# set interfaces ethernet eth1 ip ospf authentication plaintext-password NEWPASS
Lets take a look at routing table on R1 and neighbors on R3
vyatta@r1:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.10.0/24 [110/10] is directly connected, eth0, 03:35:49
C>* 10.10.10.0/24 is directly connected, eth0
O>* 20.20.20.0/24 [110/20] via 10.10.10.2, eth0, 00:05:33
* via 10.10.10.3, eth0, 00:05:33
C>* 127.1.1.0/24 is directly connected, lo
O>* 127.2.2.2/32 [110/20] via 10.10.10.2, eth0, 00:06:05
O>* 127.3.3.3/32 [110/20] via 10.10.10.3, eth0, 00:06:05
vyatta@r3:~$ show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
127.1.1.1 1 Full/DROther 30.252s 10.10.10.1 eth0:10.10.10.3 0 0 0
127.2.2.2 1 Full/Backup 31.860s 10.10.10.2 eth0:10.10.10.3 0 0 0
127.2.2.2 1 Full/DR 33.191s 20.20.20.2 eth1:20.20.20.3 0 0 0
And finally configuring R4 with the OSPF authentication would lead to the same results we had in the previous part and we would have an area authenticated by the Plain-text password “NEWPASS”.
vyatta@r3:~$ show ip ospf
OSPF Routing Process, Router ID: 127.3.3.3
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is disabled
Initial SPF scheduling delay 200 millisec(s)
Minimum hold time between consecutive SPFs 1000 millisec(s)
Maximum hold time between consecutive SPFs 10000 millisec(s)
Hold time multiplier is currently 1
SPF algorithm last executed 14m45s ago
SPF timer is inactive
Refresh timer 10 secs
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Adjacency changes are logged
Area ID: 0.0.0.0 (Backbone)
Number of interfaces in this area: Total: 3, Active: 3
Number of fully adjacent neighbors in this area: 3
Area has simple password authentication
SPF algorithm executed 17 times
Number of LSA 7
Number of router LSA 4. Checksum Sum 0x00014184
Number of network LSA 3. Checksum Sum 0x0001db39
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000
C – MD5 Authentication:
Message digest authentication is one of the most widely used cryptographic hash functions as described in RFC1321 the algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.
In order to configure MD5 authentication follow as below
vyatta@r1# set protocols ospf area 0.0.0.0 authentication md5
vyatta@r1# set interfaces loopback lo ip ospf authentication md5 key-id 1 md5-key NEWPASSMD5
vyatta@r1# set interfaces ethernet eth0 ip ospf authentication md5 key-id 1 md5-key NEWPASSMD5
Key-id: Key used to identify the password. The range of values is 1 to 255. All interfaces attached to a common network must use the same key and password.
Password: Password to be used for authentication on the interface. The password is an alphanumeric string from 1 to 16 characters.
vyatta@r1:~$ show ip ospf
OSPF Routing Process, Router ID: 127.1.1.1
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is disabled
Initial SPF scheduling delay 200 millisec(s)
Minimum hold time between consecutive SPFs 1000 millisec(s)
Maximum hold time between consecutive SPFs 10000 millisec(s)
Hold time multiplier is currently 1
SPF algorithm last executed 2h24m31s ago
SPF timer is inactive
Refresh timer 10 secs
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Adjacency changes are logged
Area ID: 0.0.0.0 (Backbone)
Number of interfaces in this area: Total: 2, Active: 2
Number of fully adjacent neighbors in this area: 2
Area has message digest authentication
SPF algorithm executed 18 times
Number of LSA 5
Number of router LSA 3. Checksum Sum 0x0001f8b7
Number of network LSA 2. Checksum Sum 0x0001375f
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000
CONTINUE TO PART 5 - OSPF AREAS & ABR's |
|
