Securing OSPFv2

glitchlist Blog Leave a Comment

OSPF is a king routing protocol that speaks on Multicast addresses 224.0.0.5 and 224.0.0.6. Once the neighborhood relationship is installed and LSAs are exchanged, the SPF algorithm starts running. If the new OSPF peer is a malicious router it can cause a lot of damage to your routing table such as:

  • Network congestions
  • Dos attacks
  • Loops
  • LSA flooding
  • and why not even divert traffic on it to sniff it!

The best way to secure this routing protocol is to add strong authentication between OSPF peers:

HMAC-SHA Cryptographic Authentication:

# Cisco
 
Cisc0L4b(config)#key chain 1
Cisc0L4b(config-keychain)#key 1
Cisc0L4b(config-keychain-key)#key-string *asswor*
Cisc0L4b(config-keychain-key)#cryptographic-algorithm hmac-sha-512
Cisc0L4b(config-keychain-key)#exit
Cisc0L4b(config-keychain)#exit
Cisc0L4b(config)#
Cisc0L4b(config)#router ospf 1
0
Cisc0L4b(config-router)#router-id 192.168.0.1
Cisc0L4b(config-router)#network 10.90.89.0 0.0.0.255 area 0
Cisc0L4b(config-router)#exit

Cisc0L4b(config)#int gi0/1
Cisc0L4b(config-if)#ip address 10.90.89.0 255.255.255.0
Cisc0L4b(config-if)#ip ospf authentication
Cisc0L4b(config-if)#ip ospf authentication key-chain 1
Cisc0L4b(config-router)#exit
Cisc0L4b(config)#

# Huawei

[HuaweiL4b]keychain 47 mode absolute
[HuaweiL4b-keychain-47]key-id 7 
[HuaweiL4b-keychain-47-keyid-7]algorithm hmac-sha-256
[HuaweiL4b-keychain-47-keyid-7]key-string *asswor*
[HuaweiL4b]ospf 10
[HuaweiL4b-ospf-10]area 0
[HuaweiL4b-ospf-10]area 0
[HuaweiL4b-ospf-10]area 0
[HuaweiL4b-ospf-10-area-0.0.0.0]authentication-mode keychain 47

Thanks Edsger for this awesome algorithm!

#CyberSecMonth

.glitchlist crew

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.