OSPF Neighbor Router Authentication
OSPF incorporates a minimal amount of security already within its design. That sounds contradictory, how can a protocol be designed with security, yet it be minimal? Simply put, when OSPF was designed, the necessary fields required for security were included in the design of OSPFs packets. Nevertheless, the security included within OSPF only protects its LSAs, thus protecting and maintaining the integrity of your networks routing tables. OSPF security is minimal because it does not protect the data flowing across the network but only how OSPF routers know to route it. This security was designed to protect only the integrity of the OSPF routing domain. You can prevent any OSPF router from receiving fraudulent route updates by configuring this type of security known as neighbor router authentication.
This section describes neighbor router authentication as part of a total security plan and explains what neighbor router authentication is, how it works, and why you should use it to increase your overall network security. There are several topics that are of importance regarding this issue:
There are several different ways that you can deploy this type of security within your OSPF network. The first way is by assigning the same OSPF key network-wide. The second is to assign a different key for every link within the network.
Benefits of OSPF Neighbor Authentication
When configured, neighbor authentication occurs whenever routing updates are exchanged between neighboring OSPF routers. This authentication ensures that a router receives reliable routing information from a trusted source.
Without neighbor authentication, unauthorized or deliberately malicious routing updates could compromise the security of your network traffic. A security compromise could occur if an unfriendly party diverts or analyzes your network traffic.
For example, an unauthorized router could send a fictitious routing update to convince your router to send traffic to an incorrect destination. This diverted traffic could be analyzed to learn confidential information of your organization, or it could merely be used to disrupt your organizations ability to effectively communicate using the network. Neighbor authentication prevents any such fraudulent route updates from being received by your router.
Conditions for Deploying OSPF Neighbor Authentication
You should configure any router for OSPF neighbor authentication if that router meets any or all of these conditions:
Remember that if you configure a router for neighbor authentication, you also need to configure the neighbor router for neighbor authentication.
How Neighbor Authentication Works
When neighbor authentication has been configured on a router, the router authenticates the source of each routing update packet that it receives. This is accomplished by the exchange of an authenticating key (sometimes referred to as a password) that is known to both the sending and the receiving router.
There are two types of neighbor authentication used: plaintext authentication and Message Digest Algorithm Version 5 (MD5) authentication. Both forms work in the same way, with the exception being that MD5 sends a message digest instead of the authenticating key itself. The message digest is created using the key and a message, but the key itself is not sent, preventing it from being read while it is being transmitted. Plaintext authentication sends the authenticating key itself over the wire.
Each participating neighbor router must share an authenticating key. This key is specified at each router during configuration. Multiple keys can be specified with OSPF; each key must then be identified by a key number. For example, you can have a different key for each WAN interface on a router running OSPF. The caveat is that the neighbor router off each interface must have a matching key configured on the receiving interface as shown in Figure 10-1.
In general, when a routing update is sent, the following authentication sequence occurs:
MD5 authentication works similarly to plaintext authentication, except that the key is never sent over the wire. Instead, the router uses the MD5 algorithm to produce a message digest of the key (also called a hash). The message digest is then sent instead of the key itself. This ensures that nobody can eavesdrop on the line and learn keys during transmission.
Configuring Traffic Filters
This section describes how to use traffic filters (also known as access lists) at your router to control network access. This is an important feature found within many routers. Filters will enable you to deploy an added layer of network security within your network and gain the benefits of a layered secure network.