Securing Your OSPF Network

Previous Table of Contents Next

OSPF Neighbor Router Authentication

OSPF incorporates a minimal amount of security already within its design. That sounds contradictory, how can a protocol be designed with security, yet it be minimal? Simply put, when OSPF was designed, the necessary fields required for security were included in the design of OSPF’s packets. Nevertheless, the security included within OSPF only protects its LSAs, thus protecting and maintaining the integrity of your networks routing tables. OSPF security is minimal because it does not protect the data flowing across the network but only how OSPF routers know to route it. This security was designed to protect only the integrity of the OSPF routing domain. You can prevent any OSPF router from receiving fraudulent route updates by configuring this type of security known as neighbor router authentication.

This section describes neighbor router authentication as part of a total security plan and explains what neighbor router authentication is, how it works, and why you should use it to increase your overall network security. There are several topics that are of importance regarding this issue:

  Benefits of neighbor authentication
  Conditions for deploying OSPF neighbor authentication
  How neighbor authentication works

There are several different ways that you can deploy this type of security within your OSPF network. The first way is by assigning the same OSPF key network-wide. The second is to assign a different key for every link within the network.

This section refers to neighbor router authentication as “neighbor authentication.” Neighbor router authentication is also sometimes called “route authentication.”

Benefits of OSPF Neighbor Authentication

When configured, neighbor authentication occurs whenever routing updates are exchanged between neighboring OSPF routers. This authentication ensures that a router receives reliable routing information from a trusted source.

Without neighbor authentication, unauthorized or deliberately malicious routing updates could compromise the security of your network traffic. A security compromise could occur if an unfriendly party diverts or analyzes your network traffic.

For example, an unauthorized router could send a fictitious routing update to convince your router to send traffic to an incorrect destination. This diverted traffic could be analyzed to learn confidential information of your organization, or it could merely be used to disrupt your organization’s ability to effectively communicate using the network. Neighbor authentication prevents any such fraudulent route updates from being received by your router.

Conditions for Deploying OSPF Neighbor Authentication

You should configure any router for OSPF neighbor authentication if that router meets any or all of these conditions:

  It is conceivable that the router might receive a false route update.
  If the router were to receive a false route update, your network might be compromised.
  You deem it necessary as part of your network security plan.

Remember that if you configure a router for neighbor authentication, you also need to configure the neighbor router for neighbor authentication.

How Neighbor Authentication Works

When neighbor authentication has been configured on a router, the router authenticates the source of each routing update packet that it receives. This is accomplished by the exchange of an authenticating key (sometimes referred to as a password) that is known to both the sending and the receiving router.

There are two types of neighbor authentication used: plaintext authentication and Message Digest Algorithm Version 5 (MD5) authentication. Both forms work in the same way, with the exception being that MD5 sends a “message digest” instead of the authenticating key itself. The message digest is created using the key and a message, but the key itself is not sent, preventing it from being read while it is being transmitted. Plaintext authentication sends the authenticating key itself over the wire.

Note that plaintext authentication is not recommended for use as part of your security strategy. Its primary use is to avoid accidental changes to the routing infrastructure. Using MD5 authentication, however, is a recommended security practice.

As with all keys, passwords, and other security secrets, it is imperative that you closely guard the authenticating keys used in neighbor authentication. The security benefits of this feature are reliant upon your keeping all authenticating keys confident. Also, when performing router management tasks via Simple Network Management Protocol (SNMP), do not ignore the risk associated with sending keys using non-encrypted SNMP.

Plaintext Authentication

Each participating neighbor router must share an authenticating key. This key is specified at each router during configuration. Multiple keys can be specified with OSPF; each key must then be identified by a key number. For example, you can have a different key for each WAN interface on a router running OSPF. The caveat is that the neighbor router off each interface must have a matching key configured on the receiving interface as shown in Figure 10-1.

Figure 10-1  OSPF plaintext authentication.

In general, when a routing update is sent, the following authentication sequence occurs:

1.  A router sends a routing update with an authentication key within an LSA.
2.  The receiving (neighbor) router checks the received key against the same key stored in its own memory.
3.  If the two keys match, the receiving router accepts the routing update packet. If the two keys do not match, the routing update packet is rejected.

MD5 Authentication

MD5 authentication works similarly to plaintext authentication, except that the key is never sent over the wire. Instead, the router uses the MD5 algorithm to produce a “message digest” of the key (also called a “hash”). The message digest is then sent instead of the key itself. This ensures that nobody can eavesdrop on the line and learn keys during transmission.

Configuring Traffic Filters

This section describes how to use traffic filters (also known as access lists) at your router to control network access. This is an important feature found within many routers. Filters will enable you to deploy an added layer of network security within your network and gain the benefits of a layered secure network.

Previous Table of Contents Next

OSPF Network Design Solutions
OSPF Network Design Solutions
ISBN: 1578700469
EAN: 2147483647
Year: 1998
Pages: 200
Authors: Tom Thomas

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: