Enabling OSPF Authentication

Table of contents:

Problem

You want to ensure that all OSPF protocol traffic that your router accepts comes from devices known to you so that only trusted routers participate in determining the contents of the OSPF routing database.

Solution

You configure MD5 authentication for OSPF:

	[edit protocols 
ospf area 0.0.0.0 ]
	aviva@RouterG# set authentication-type md5 
	aviva@RouterG# set interface fe-0/0/1 authentication md5 1 key $1991poPPi 
	aviva@RouterG# set interface fe-1/0/1 authentication md5 1 key $1991poPPi 
	aviva@RouterG# show 
	authentication-type md5;
	interface fe-0/0/1.0 {
	 authentication {
	 md5 1 key "$9$dEbgoZUjqP5GUApO1hcgoaJHq"; ## SECRET-DATA
	 }
	}
	interface fe-1/0/1.0 {
	 authentication {
	 md5 1 key "$9$dEbgoZUjqP5GUApO1hcgoaJHq"; ## SECRET-DATA
	 }
	}

Discussion

It is a good security measure to authenticate OSPF protocol packet exchanges to ensure that only trusted routers participate in the OSPF network and in the exchange of Hello and LSA packets.

This recipe shows how to configure OSFP to use MD5 authentication. First, configure MD5 authentication for the entire area, then set the key, or password, for each interface. Each key has an identifier; here, it is 1. MD5 creates an encoded checksum that is included in all transmitted OSPF packets. The receiving router verifies this checksum before accepting the packet.

When you display the routers configuration after you have typed the password, you do not see the password itself, only the encrypted form of the password. Someone casually glancing through the configuration would not see the actual password.

You can also configure a simple password for OSPF authentication, which includes a plain-text password in the transmitted OSPF packets. Plain-text passwords are easy to break by devices that sniff network traffic, so you should never use them when your goal is network security.

For authentication to work across the entire OSPF domain, you need to configure MD5 authentication with the same key identifier and the same password on all OSPF interfaces, as shown in this recipe. Once you have the encrypted version of the password, you can use it in the authentication-key statement instead of the password itself. This is one way to minimize the number of people who see the actual password.

	aviva@RouterG# set interface fe-1/0/1 authentication 1 key
	"$9$dEbgoZUjqP5GUApO1hcgoaJHq"

When you are looking at the configuration contents, pipe the output to hide the passwords:

	[edit]
	aviva@RouterG#  
show protocols 
ospf | except SECRET-DATA
	area 0.0.0.0 {
	 
authentication-type md5;
	 interface fe-0/0/1.0 {
	 authentication {
	 }
	 }
	 interface fe-1/0/1.0 {
	 authentication {
	 }
	 }
	}

You can do the same thing in operational mode:

	aviva@RouterG> show configuration protocols 
ospf | except SECRET-DATA
	area 0.0.0.0 {
	 authentication-type md5;
	 interface fe-0/0/1.0 {
	 authentication {
	 }
	 }
	 interface fe-1/0/1.0 {
	 authentication {
	 }
	 }
	}

As part of your security measures, you may, from time to time, want to transition from using one MD5 key to another. You can do this by configuring multiple MD5 keys, each with a unique key ID, and setting the date and time to switch to the new key. Here, the new keys take effect at 12:01 a.m. on the first day of the month for the next several months:

	[edit protocols ospf area 0.0.0.0 ]
	aviva@RouterG# set interface fe-0/0/1 authentication md5 1 key $1991poPPi 
	aviva@RouterG# set interface fe-0/0/1 authentication md5 2 key NeWpsswdFEB start-time
	2006-02-01.00:01 
	aviva@RouterG# set interface fe-0/0/1 authentication md5 3 key NeWpsswdMAR start-time
	2006-03-01.00:01 
	aviva@RouterG# set interface fe-0/0/1 authentication md5 4key NeWpsswdAPR start-time
	2006-04-01.00:01 

The start time specifies the time at which the router starts using the MD5 key for transmission. When receiving packets, the router accepts packets with any MD5 key as long as the key ID specified in the packet corresponds to a currently configured key, regardless of the keys start time.

Use the show ospf interface detail command to see which key is currently active:

	aviva@RouterG# run 
show ospf interface detail
	Interface State Area DR ID BDR ID Nb
	rs
	t1-0/2/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0
	0
	Type P2P, address 0.0.0.0, mask 0.0.0.0, MTU 1500, cost 2604
	 adj count 0
	Hello 10, Dead 40, ReXmit 5, Not Stub
	Auth type MD5, Active key id 3, Start time 2002 Nov 19 10:00:00 PST
	t1-0/2/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0
	0
	Type P2P, address 192.168.37.16, mask 255.255.255.255, MTU 1500, cost 2604
	 adj count 0, Passive
	Hello 10, Dead 40, ReXmit 5, Not Stub
	Auth type MD5, Active key id 3, Start time 2006 Mar 1 00:01:00 PST


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net