OSPF v2 security

Security problems could lead to DoS if falsified routing information are exchanged between routers.

6WINDGate OSPF v2 implementation supports two kinds of authentication, plain text authentication and more secure MD5 authentication.

Note

If this option is adopted, then it must be configured in the whole area. For plain text authentication, passwords must be the same between neighbors.

OSPF authentication configuration

Configuring plain text authentication

  1. For each interface, type the following command at the interface level:

vrf main
  routing interface eth0_0
    ip ospf authentication simple
    ip ospf authentication-key secret
    ..
    ..

The secret password is being used in the OSPF header of OSPF messages, and is in clear form.

  1. Enable ospf authentication in the corresponding area, in the router ospf context.

vrf main
  routing ospf
    area 0 authentication
    ..
    ..
  1. Remove the authentication password:

vrf main
  routing interface eth0_0
    del ip ospf authentication-key
    del ip ospf authentication
    ..
    ..
  routing ospf
    del area 0 authentication
    ..
    ..

Configuring MD5 authentication

  1. For each interface, type the following command at the interface level:

vrf main
  routing interface eth0_0
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 d215
    ..
    ..

A key identifier is carried in OSPF messages, along with authentication crypted data, and area identifier ( by default backbone).

  1. Enable context authentication in the corresponding area, in the router ospf context.

vrf main
  routing ospf
    area 0 authentication message-digest true
  1. Remove the OSPF authentication and MD5 authentication secret:

    vrf main
      routing interface eth0_0
        del ip ospf authentication
        del ip ospf message-digest-key 1
        ..
        ..
      routing ospf
        del area 0 authentication
        ..
        ..
    

Filtering OSPF

Like for BGP protocol, it is possible to apply filtering thanks to route map. Below example illustrates what can be done by using Prefix List. OSPF will be configured to redistribute BGP entries, however some filtering will be applied.

  1. Specify the prefix-list and route-map:

vrf main
  routing
    ipv4-prefix-list plist
      seq 1 address 10.100.0.0/24 policy permit
      seq 2 address 10.200.0.0/24 policy deny
      seq 3 address 10.150.0.0/24 policy permit
      ..
    route-map rmap seq 1 plicy permit
    route-map rmap seq 1 match ip address prefix-list plist
    ..
  1. Configuration of a BGP instance that peers with remote located outside of OSPF area.

vrf main
  routing bgp
    as 55
    router-id 1.1.1.1
    neighbor 10.110.0.10 remote-as 55
    ..
    ..

Subsequently, some BGP routing entries will be learnt from remote.

rt1> show bgp ipv4 unicast
BGP table version is 9, local router ID is 1.1.1.1, vrf id 0
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i10.100.0.0/24    10.110.0.10               0    100      0 i
*>i10.150.0.0/24    10.110.0.10               0    100      0 i
*>i10.200.0.0/24    10.110.0.10               0    100      0 i

Displayed  3 routes and 3 total paths
  1. Configure the route redistribution with the route-map filtering:

vrf main
   routing ospf
      redistribute bgp route-map rmap

Subsequently, the rt1 device has imported filtered BGP route entries.

rt1> show ospf database default

   OSPF Router with ID (1.1.1.1)

            Router Link States (Area 0.0.0.0)

 Link ID         ADV Router      Age  Seq#       CkSum  Link count
 1.1.1.1         1.1.1.1          127 0x80000004 0xbf9a 1

            AS External Link States

 Link ID         ADV Router      Age  Seq#       CkSum  Route
 10.100.0.0      1.1.1.1          630 0x80000001 0xc2ff E2 10.100.0.0/24 [0x0]
 10.150.0.0      1.1.1.1          621 0x80000001 0x6828 E2 10.150.0.0/24 [0x0]