Popular Posts

Monday 18 July 2011

Network Security Notes: Network Protocols: Configuring OSPF Authentication Protocol

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

As my previous post about the Understanding OSPF Protocol and the OSPF Protocol on CISCO Routing Protocol and Concepts, you may already know much details about the OSPF Protocol. And here this post I would like to introduce you about Configuring OSPF Authentication Protocol...

Open Shortest Path First (OSPF) supports two forms of authentication: plain text and MD5. Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication. To configure plain text authentication of OSPF packets, follow these steps:

In interface configuration mode, use the ip ospf authentication−key [key] command. The key that is specified is the plain text password that will be used for authentication.

1. Enter OSPF configuration mode using the router ospf [process id] command. Then use the area [area−id] authentication command to configure plain text authentication of OSPF packets for an area.

Referring to Figure Image below, we will configure Router A and Router B for plain text authentication of OSPF packets. Listing A and Listing B below display each router's configuration.

Figure Image:



Listing A: Router A configured to authenticate OSPF packets using plain text authentication

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf authentication−key visaadmin
clockrate 64000
router ospf 60
area 0 authentication
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0


Listing B: Router B configured to authenticate OSPF packets using plain text authentication

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf authentication−key visaadmin
router ospf 50
area 0 authentication
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0
In Listing A and Listing B, plain text authentication is configured to authenticate updates across area 0. By issuing the show ip ospf command, you can determine if plain text authentication is properly configured for each area. Here is an example of the output for the show ip ospf command:

Router−B#show ip ospf 50
Routing Process "ospf 50" with ID 10.10.13.1
......
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has simple password authentication
SPF algorithm executed 7 times


Configure MD5 authentication of OSPF packets

To configure MD5 authentication of OSPF packets, follow the steps outlined here:

1. From interface configuration mode, enable the authentication of OSPF packets using MD5 with the following command:

ip ospf message−digest−key [key−id] md5 [key]


The value of the key−id allows passwords to be changed without having to disable authentication.

2. Enter OSPF configuration mode using the router ospf [process id] command. Then
configure MD5 authentication of OSPF packets for an area using this command:

area [area−id] authentication message−digest


This time, Routers A and B will be configured to authenticate packets across the backbone using the MD5 version of authentication. Listing C shows the configuration for Router A, and Listing D shows Router B's configuration.

Listing C: Router A configured for MD5 authentication

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 visa
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing D: Router B configured for MD5 authentication

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 visa
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

When you use the ip ospf message−digest−key command, the key value allows the password to be changed without having to disable authentication.

Note For OSPF, authentication passwords do not have to be the same throughout the area, but the key id value and the password must be the same between neighbors.

Using the show ip ospf [process−id] command again, you can see that it now states that MD5 authentication is being used across area 0:

Router−A#sh ip ospf 60
Routing Process "ospf 60" with ID 10.10.11.1
......
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has message digest authentication
SPF algorithm executed 4 times

As noted earlier, the key id value and the passwords must be the same between neighbors. If you change the key id value to a number other than 15 on Router A, authentication should not take place and OSPF should get mad. Here is the changed configuration:

interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 30 md5 visa
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0
Notice that it has been changed to a value of 30. The following lines show what OSPF has to say
about this:

Router−A#debug ip ospf events
OSPF events debugging is on
Router−A#
00:03:58: OSPF: Send with youngest Key 30
00:04:04: OSPF: Rcv pkt from 192.168.10.2, Ethernet0/0 :
Mismatch Authentication Key − No message digest key 15 on Interface


OSPF is obviously not happy. If you change the key value back, everything should again be all right.

As mentioned earlier, the key id value allows passwords to be changed without having to disable authentication. Listing E and Listing F display the configuration of Router A and Router B with multiple keys and passwords configured.

Listing E: Router A configured with multiple keys and passwords

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 visa
ip ospf message−digest−key 20 md5 littleboy
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing F: Router B configured with multiple keys and passwords

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 visa
ip ospf message−digest−key 20 md5 littleboy
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

As a result of this configuration, Routers A and B will send duplicate copies of each OSPF packet out of their serial interfaces; one will be authenticated using key number 15, and the other will be authenticated using key number 20. After the routers each receive from each other OSPF packets authenticated with key 20, they will stop sending packets with the key number 15 and use only key number 20. At this point, you can delete key number 15, thus allowing you to change passwords without disabling authentication.


Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Enter your email address:

Delivered by FeedBurner

To Stay Up to date with Network Security, Please Subscribe!

Bookmark and Share
Posted by at 08:25
Labels: , , , , , , ,
Possible Related Posts:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)