An Engineer's Guide to Configuring OSPF Authentication
Decision making from the highest level executive suite down to the business-grade router in your further branch location is important. The ability to make strong decisions requires full understanding of what needs to be accomplished, analyze past reports and future opportunities, and overall effectiveness. Today, we won't be discussing what it takes to make strong decisions in business meetings, but a routing information protocol that exists on enterprise networks, builds routing tables, and makes routing decisions.
Protocol Basics
As a link state protocol, Open Shortest Path First (OSPF) was developed as an open standard for routing IP across large multi-vendor networks. When the OSPF-enabled router starts, it sends hello packets to all directly connected OSPF routers. These packets contain information, such as router timers, router ID, and subnet mask, and once agreed on they become neighbors. As neighbors, they establish adjacencies by exchanging link state databases.
It also sends link state advertisements to all connected neighbors of the same area to communicate route information. Routing information learned from peers is used to determine the next hop towards the destination. To route traffic correctly and most effective, prevention of malicious or incorrect routing information from getting introduced into the routing table is a vital. Achieving the correct and most effective traffic route is done by authenticating the routing updates exchanged between routers. OSPF supports Clear Text and Message Digest 5 (MD5) authentications. Two of the most common authentications when working with business-grade routers.
Configuring OSPF Authentication
Today, we will dive into configuring these authentications as well as looking at verification commands. OSPF can be configured to authenticate every OSPF message. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a "Denial-of-Service" attack. Three types of OSPF can be configured:
- Null Authentication: No authentication. Default on all Cisco routers,
- Clear Text Authentication: Passwords are exchanged in clear text on the network,
- MD5 Authentication: A cryptographic method using the open stand Message Digest type 5 (MD5) encryption.
Before we get into the OSPF configurations, you may be wondering if OSPF is the best option for your network. If you have a small to medium-sized network, a distance-vector protocol may be the right protocol. Other configurations we've set up for you are: EIGRP, On-Demand Routing and RIP.
Augment Your Team
Before we get started with the specific configurations, ask yourself a couple of questions:
- Do I have the time to handle configurations?
- Do I have the bandwidth to configure my devices?
If you answered "No" to these questions, consider PivIT's SmartHands through EXTEND. Hire an engineer to take on these basic configurations and more. Click below to learn more about SmartHands.
Clear Text Authentication Configurations
Clear Text Authentication is utilized when devices within an area cannot support MD5 Authentication. When Clear Text is configured, it leaves the internetwork vulnerable to a "sniffer attack" — where packets are captured by a protocol analyzer and the passwords can be identified. When security is your highest priority, you guessed it, this is NOT your go-to configuration. However, it is useful when you perform OSPF reconfiguration. For example, separate passwords can be used on older and newer OSPF routers that share a common broadcast network to prevent them from talking to each other.
MD5 Authentication Configuration
MD5 authentication provides higher security than plain text authentication. This method uses the MD5 algorithm to compute a hash value from the contents of the OSPF packet and a password (or key). The hash value is transmitted in the packet, along with a key ID and a non-decreasing sequence number. The receiver, which knows the same password, calculates its own hash value. If nothing in the message changes, the hash value of the receiver should match the hash value of the sender which is transmitted with the message.
The key ID allows the routers to reference multiple passwords. This makes password migration easier and more secure. For example, to migrate from one password to another, configure a password under a different key ID and remove the first key. The sequence number prevents replay attacks where OSPF packets are captured, modified, and retransmitted to a router. As with plain text authentication, MD5 authentication passwords do not have to be the same throughout an area. However, they do need to be the same between neighbors.
Verification Commands
To confirm your configurations work properly, certain show commands are supported by the Output Interpreter Tool allowing you to view an analysis of show command output.
Clear Text Verification
R1-2503# show ip ospf interface serial0
Serial0 is up, line protocol is up
Internet Address 192.16.64.1/24, Area 0
Process ID 10, Router ID 172.16.10.36, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
MD5 Verification
R1-2503# show ip ospf interface serial0
Serial0 is up, line protocol is up
Internet Address 192.16.64.1/24, Area 0
Process ID 10, Router ID 172.16.10.36 , Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 70.70.70.70
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Whether you are in the executive suite making decision for the company or purchasing the next router for your network, an understanding of what needs to be accomplished, analyze past reports and future opportunities, and overall strategy effectiveness is necessary. Let the OSPF Protocol go to work for you to make effective routing decisions.