Thursday, May 1, 2014

OSPF Authentication

Lessons Learned:

OSPF supports 3 types of authentication
-0 = Null
-1 = Clear Text
-2 = MD5

Can be enabled
-On all links in the area
-On a per link basis

Key – is always applied at the link level
-Virtual-Links are Area0 interfaces

--------------------------------------------------- 

From a packet level format, there’s no difference in the authentication types whether you have it enabled globally or directly at the interface level.

The only difference is if it’s enable under the process it’s going to automatically apply to any interface within that area.

Ex: Area 0 Authentication – every link in that area is going to have type 1 applied to it.
Would be the same as going to each interface and saying “ip ospf authentication”.

We can verify this by running the “ip ospf interface “ – will show what type of auth is configured.

For the password – doesn’t matter what type – it’s going to always be configure at the link level.

Note: A Virtual-Link is an area 0 interface.
If doing auth in all interfaces in Area 0 – it means a Virtual link will inherit the auth.
As long as the neighbors agree on what the authentication is – you can actually us a null for the password.

As long as the end result matches the result is successful and you can form an ADJ

Clear text Authentication:
--------------------------------

Note: this ca be enabled either under the process or the interface.
First let’s look at the interface prior to configuring any auth.

R1#sh ip ospf interface fa0/0
FastEthernet0/0 is up, line protocol is up
  Internet Address 192.168.12.1/24, Area 0
  Process ID 10, Router ID 192.168.13.1, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 192.168.13.1, Interface address 192.168.12.1
  Backup Designated router (ID) 192.168.23.2, Interface address 192.168.12.2
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:07
  Supports Link-local Signaling (LLS)
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 192.168.23.2  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
R1#

Let’s turn on Clear text under the process;

R1(config-router)#area 0 authentication

Now let’s debug the ADJ on the other end of the link. We will see that any new update coming in from the neighbor – will be discard because there’s a mismatch in the Authentication type:

Output:
*Mar  1 00:17:22.567: OSPF: Rcv pkt from 192.168.12.1, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 1, we use type 0
This says locally I use type 0 – which is Null – and the neighbor uses Type1 auth which is clear text. This is not a mismatch in the password. It’s a mismatch in the type of authentication.

Not at the link level of the local router is we configured “ip ospf Authentication”. This is tuning the process on. Even though we don’t have a password configured – they neighbors are now doing clear text authentication with no key.

Output:
The ADJ now forms
R2#
*Mar  1 00:23:32.011: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.13.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R2#

Also from a sh ip ospf int fa0/0 – we can now see that simple password Auth is enabled.

R2#sh ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
  Internet Address 192.168.12.2/24, Area 0
  Process ID 10, Router ID 192.168.23.2, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 192.168.23.2, Interface address 192.168.12.2
  Backup Designated router (ID) 192.168.13.1, Interface address 192.168.12.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 192.168.13.1  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled

If we want to add a key value we can change the auth type on the link level of both neighbors.

EX: R2(config-if)#ip ospf authentication-key CISCO

Note: Be careful because most Cisco IOS versions will take white spaces as passwords.

For MD5 Authentication –
The config is essentially going to be the same –

Ex: under the link -
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 10 md5 CISCO123

Note:  Just link in EIGRP the Key # does have to match because it’s part of the update.

Interface verification

R2#sh ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
  Internet Address 192.168.12.2/24, Area 0
  Process ID 10, Router ID 192.168.23.2, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 192.168.23.2, Interface address 192.168.12.2
  Backup Designated router (ID) 192.168.13.1, Interface address 192.168.12.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:01
  Supports Link-local Signaling (LLS)
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 4 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 192.168.13.1  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled

    Youngest key id is 10
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)