12-13-2022 01:27 PM
Hey,
I'm doing a test lab where im messing around with authentication for different protocols like OSPF. But i cant seem to understand how it works. Authentication is verifying the device you're talking to is actually the device you thin you're talking to.
I wanted to test OSPF authentication by connecting a new router to my lab and configuring it with OSPF, but without authentication, to see if it could be a part of the existing OSPF instance, and it could. That's when i realized you have to configure authentication on a per-interface basis. So for it to work, you would have to do it on all interfaces to start with, i guess. Is that correct?
I understand you configure authentication on the interfaces that are used in OSPF, but you cant assume a hacker would use those interfaces. so what if he connects a router to a unused interface, then theres no authentication configured on it, he can do a quick OSPF configuration and then he has all the routes. I made a very beautiful and realistic visual presentation of the situation:
Then i find out area authentication is also a thing. But im still baffled as to how that would work. If the same 3 routers are configured with OSPF and area authentication, then i would assume the authentication is automatically configured onto the interfaces that are used by OSPF, which means the hacker can once again just connect to one of the unused (and unconfigured) interfaces and doesnt have to care about authentication.
I am sure im misunderstanding something, but i dont know what. Please enlighten me
12-13-2022 01:53 PM - edited 12-13-2022 01:54 PM
There are many security tips you need to consider.
1. Physical Security, if someone is able to get into a Physical area and have access he can do many things.
2. that is the reason suggest to OSPF config, passive interface default, what that means, until you manually add no passive-interface x/x that will not participate in the OSPF interface process.
3. Authentication mechanism on top of it..
there is 2 types as you mentioned per interface or per area.
more can be find here :
https://community.cisco.com/t5/networking-knowledge-base/ospf-authentication/ta-p/3131640
4. last and lease, device authentication using a central authentication mechanism, where only admins can only access the device and make changes, and you have audit logs which can be reviewed who access the device and what they changed (if you looking to get alerts)
12-14-2022 04:37 AM
Hello @balaji.bandi and thanks for your reply.
Your security tips are all very good and should be applied in every network, but i'm trying to understand only the OSPF authentication.
So, let's assume a hacker is next to one of the routers in my network. Let's also assume i have only configured OSPF process 1 area 0 with interface authentication on the routers G0/0 and G0/1 interfaces and no other security measures, not even passive-interface.
The hacker connects to my routers G0/2 interface with a router and configures OSPF process 1 area 1 on it. Can we agree that the hacker will not be stopped by the OSPF authentication? And that the hacker will get all the routes?
Can we also agree that in this situation it is the same result, whether the authentication is per interface or per area? because - and i assume here - only the interfaces that are an active part of OSPF will be configured with the authentication.
12-13-2022 02:06 PM
hacker connect to unused interface ? in case of broadcast he can connect to SW that connect router and hack the ospf so this need auth, and here the area auth work.
but why there is area and link ?
assume the above topology you have two router each one is admin separatly.
how we can auth both network in both side ? if we use area auth then each admin will now the secret of other admin, that not good
so we go to interface auth each admin share interface auth but can use it own area auth.
keep notice that interface auth is override the area auth
12-14-2022 04:40 AM
Hello @MHM Cisco World and thanks for the description and lab picture, that helps with understanding.
But, i think we misunderstood each other. Please review my reply for @balaji.bandi's comment.
12-14-2022 04:54 AM - edited 12-14-2022 04:55 AM
assume you have SW and two router connect to each other via SW,
the router port connect to SW must config as OSPF to establish ospf neighborship with other router,
w/o auth
the hacker can connect to SW and make one or both router make ospf establish with it,
w auth
the hacker need to auth to both router or one to make ospf establish.
and Yes if the interface hacker connect to INTERFACE not config as OSPF then hacker w and w/o auth can not make ospf establish with victim router.
and for passive interface is same w and w/o auth hacker can not make ospf establish.
12-13-2022 02:26 PM - edited 12-13-2022 02:31 PM
I recall, for OSPF, authentication is an area parameter (a setting which must agree for all the OSPF devices in that area; like the area number).
Once area authentication is configured, you can then set passwords per interfaces, which, when set, must agree with OSPF neighbors, on that interface, to form an adjacency. I.e. you don't need to define a password, and if you don't, with area authentication active, the other OSPF neighbor, I believe, would also need to NOT define a password. (In other words, matching passwords also applies, I believe, to when passwords are null.)
"That's when i realized you have to configure authentication on a per-interface basis. So for it to work, you would have to do it on all interfaces to start with, i guess. Is that correct?"
I believe not. Again, it's enabled/set per area. Passwords, though, are per interface.
In you hacker example, for it to join the OSPF area, it first, has to also have area authentication set, and second, password match with the OSPF device it's trying to form an adjacency with.
PS:
I was just looking at @balaji.bandi's reference. I'm unaware of what it describes as per-interface, but area authentication, I recall, operates as I described, above.
12-13-2022 02:49 PM
just give clarity on per-interface authentication.
when you do 2 devices between authentication you can configure using - interface commands :
per interface using the ip ospf authentication interface command (by default OSPF configured as no authentication) and both side should match clear text or md5.
12-14-2022 04:30 AM
Maybe it's also worth pointing out that authentication (per area or per interface) provides OSPF protocol integrity but not confidentiality. As @Emhmed shared, it's possible to connect to broadcast segment and sniff the updates. Although it would not be possible to inject information into OSPF, having LSDB from periodic flooding is enough to reconstruct the topology.
There is no native solution in OSPF for that. For IPv4 you could use manual IPsec tunnels on top of links, with IPv6 this config is a bit more automated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide