OSPFv3 SHA Authentication and Encryption in Production Environment?

AudieO · ‎06-17-2022

Hello Cisco Experts,

Has anyone ever deployed OSPFv3 with SHA Authentication and IPSec Encryption for the Hello packets in a relatively large production environment? In Datacenter, DMVPN, GETVPN?

Any issue encountered such as stability and performance degradation?

In order to mitigate rogue route injection, both the SHA authentication and encrypting/encapsulating the Hello packet in IPSec ESP are must be enabled.

Thank You,

Audie

MHM Cisco World · ‎06-17-2022

Use secuirty for opsf when it send via dmvpn ? The ospf is send inside the dmvpn tunnel, and dmvpn already secure by ipsec why you seek about additional security?

AudieO · ‎06-18-2022

Of course inside IPSec tunnel is protected already, but inside datacenter switch anyone can capture the Hello packets, then construct the OSPF overall network map. Please study about OSPF route poisoning injection.

To "fully secured" OSPF, the SHA Authentication and encryption (to encrypt the Hello packets) features must be used.

My question is what happened when both features are used in Datacenter, DMVPN, or GETVPN? I think in the Datacenter is ok since the core routers are not performing encryption for IPSec tunnels; however, in DMVPN/GETVPN when the routers are performing "both" tunnel and OSPF Hello encryptions. Would they be any degradation?

Thanks,

Audie

MHM Cisco World · ‎06-18-2022

but Inside DataCenter I don't think So but Inside SP Core Sure you need OSPFv3 IPSec encrypt.

Georg Pauwen · ‎06-18-2022

Hello,

definitely a good idea to implement this, as rogue route injection does not even have to be deliberate, but can happen accidentally. MD5 authentication for OSPF has been around for a very long time, what you want to implement is just another step up. That said, I don't really have practical experience other than a lab environment with a hub and a few spokes. It does not seem to cause any problems...what specifically are you looking for ?

AudieO · ‎06-20-2022

Thanks for replying Georg.

If you concern about state-sponsored threats, so one must enable all security features, but be sure the remedy is not worse than the disease. Thus, extensive testing must be done prior to the deployment on the production environment.

Few-several years ago I enabled the SHA authentication in a relative large (dozen routers with multiple areas), but did not enable the encryption since we could not find whether others had deployed it.

I hope to hear experiences when both SHA Authentication and Hello packet encryption have been deployed for minimum several months.

Thank You!

Giuseppe Larosa · ‎06-20-2022

Hello @AudieO ,

first of all OSPF hello packets in broadcast environment are sent to ALLOSPF routers on link 224.0.0.5 that is a link local not routable multicast and to the directly connected neighbor in p2p links.

By sending a Forged Hello an attacker should be on the same VLAN as this does not qualify it as a neighbor

As you know there is a quite long per neighbor state machine.

So in my opinion encryption of OSPF hello packets provides little advantage.

SEcured exchanged of LSAs, LSA updates is a different matter but it happens only between already established adjacencies

In OSPF two routers can be simple neighbor or adjacent or nothing.

OSPFv3 has the advantage of carrying the instance id inside the hello packets this has been used to support multiple address families realms in OSPFv3.

So now we can use a single OSPFv3 process to route both IPv4 and IPv6 prefixes hosted in different address families but OSPFv3 sitll relies on link local IPv6 addresses so you need to have IPv6 enabled on every link.

in DMVPN the hub(s) must be the DR or BDR or we need to use ospf network point to multipoint or point to multipoint non-broadcast to avoid DR/BDR election.

Protecting OSPF messages that travel within a secure tunnel is an additional security level that would be useful only for LSA exchange at the price of a greater overload and remember that OSPF Database descriptor packets cannot be fragmented at least in OSPFv2.

OSPFv3 uses IPv6 extension headers to implement authentication and encryption AH and ESP like it was TCP or UDP.

Hope to help

Giuseppe

AudieO · ‎06-20-2022

Thank you Giuseppe for your response!

"So in my opinion encryption of OSPF hello packets provides little advantage":

A sophisticated Malware can capture the unencrypted Hello packets, send them to its Command-and-Control (C&C) host, and then construct the overall OSPF map. This will enable the attacker to expand the exploit to look for high value targets. I can assure you that this can be done relatively not difficult. Thus, there is no need to form OSPF adjacency to know the overall OSPF network.

Please activate the SHA Authentication and the encryption, and observe the OSFv3 packets using Wireshark. It is a self assuring to know that the OSPF is "impossible" to crack.

Giuseppe Larosa · ‎06-21-2022

Hello @AudieO ,

>> A sophisticated Malware can capture the unencrypted Hello packets, send them to its Command-and-Control (C&C) host, and then construct the overall OSPF map. This will enable the attacker to expand the exploit to look for high value targets. I can assure you that this can be done relatively not difficult. Thus, there is no need to form OSPF adjacency to know the overall OSPF network.

OSPFv3 hello packets use link local FE80::/64 IPv6 addresses in broadcast network where have you found the above sentence ?

In any case it would be a form of reconnaissance attack i.e. to discover the topology inside the network.

Hope to help

Giuseppe

AudieO · ‎06-21-2022

Giuseppe,

Thanks for replying! It is very nice to know that someone is paying attention

"OSPFv3 hello packets use link local FE80::/64 IPv6 addresses in broadcast network where have you found the above sentence ?" Just try to capture the Multicast to ff02::5, and you will see the Hello and LSA updates are in clear. Please see the attachment. Thus, with the regular 30 minutes OSPF DB and change LSA updates, one can draw the complete OSPF network map...just like putting together jigsaw puzzle.

Thabk You

Giuseppe Larosa · ‎06-21-2022

Hello ,

FF02::5 is a link local multicast address that is not routable you must be on the same segment to be able to capture it.

This is is the key point , if you use point to point links and you are able to use the passive interface for client facing logical interfaces ( routed ports, SVI or BDI) a PC connected to a client VLAN will not see anything.

So in my opinion if supported the passive interface concept is much more effective, because nowdays most of inter devices links are point to point.

Hope to help

Giuseppe

AudieO · ‎07-05-2022

Giuseppe,

"FF02::5 is a link local multicast address that is not routable you must be on the same segment to be able to capture it."

Correct! So if an internal computer is compromised by a sophisticated Malware, then you are in trouble. It will perform reconnaissance, then "Call-Home" to notify the home base to dial-in via covert channel.

One has to perform multi-layer security defense to stop state sponsored exploit. I can elaborate if needed.

Thanks,

Audie

MHM Cisco World · ‎06-20-2022

first, not only Hello message will be encrypt even the update message is encrypt.
I don't have exact answer but
let assume that OSPFv3 as any VPN traffic meaning the traffic always pass between the Peers, and it not pass as clear text but as encrypt text.

in each Peer the HW and License support fix number of VPN tunnel,
here we will enlarge the calculation of VPN tunnel to include OSPFv3.
i.e.
Peer have max 50 VPN tunnel, I have 40 VPN tunnel BUT also I have three OSPF peer, the result is
43 not 40 VPN tunnel since the encrypt+decrypt consume CPU and memory of Peer (also there is license).

AudieO · ‎06-21-2022

Thank you MHM Cisco World for the reply!

"first, not only Hello message will be encrypt even the update message is encrypt": You are correct, thanks for elaborating it. If only the Hello packets are encrypted, then I can deduce the OSPF overall map from the LSA updates...good catch!

"in each Peer the HW and License support fix number of VPN tunnel,
here we will enlarge the calculation of VPN tunnel to include OSPFv3": Wow, so each peering OSPFv3 encryption will consume a tunnel license?

To Everyone,

I am not here trying to sell or justify the need of the OSPF encryption. If it is an overkill feature, so be it. What I am here for as follows:

1. Any experience enabling the SHA authentication and encryption in production environment?

2. If it is, are the routers supporting IPSec tunnels such as L2L, DMVPN, GETVPN?

3. What are the router model and IOS types (classic IOS, XE, XR)?

Thank You!