Friday, 22 March 2019

Routing Protocol Authentication (OSPF)



 Routing Protocol Authentication (OSPF)


A router authenticates the source of each routing update packet that it receives. Many routing protocols support authentication like OSPF, EIGRP, ISIS, BGP, and RIPv2.

Cisco routers support of different approaches to authentication route advertisements received from a neighboring router:

  •  Simple text authentication
  • Hashing authentication (using MD5)



 Simple password authentication:

Router sends packets and key (if a routing protocol doesn’t support multiple keys, the key number associated with a routing update is 0). Neighboring router check whether key matches its key. The outing update is rejected if the keys do not match. The only routing protocols the plan text authentication are RIPv2, OSPF, and ISIS.

MD5 authentication


Configure a key (password) and key ID, router generate a message digest or hash of the key, key ID and message. Message digest is send with packet key is not sent. The neighboring router receives the update and run a hashing algorithm on the routing update with local key, the results in a hash digest. If hash digit matches, the router accept the packet, if it not the update is rejected. This process is more secure than a plain text authentication. IS-IS, OSPF, RIPv2 and EIGRP use MD5.


OSPF Authentication


Types of authentication in OSPF

Type 0 – NULL
Type 1- simple password authentication
Type 2 – cryptographic (SHA/MD5) authentication
OSPF Authentication can be enabled  on OSPF process level (area) or Link level.


All OSPF packet will be authenticated when you enable any formation of authentication in OSPF.

Before we start  BGP configuration check out some important  of BGP CCIE exam topics.


Here are the lists of all OSPF labs and theories CCNA to CCIE.












Let’s see the configuration:



Topology:-



GOAL:
  • Configure the topology as per our diagram
  • configure OSPF in area 0 and advertise all the interfaces
  • configure router 1 and router 2 to exchange routes after establishing successful authentication by using clear text  




R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        10.1.1.1        YES manual up                    up
Serial3/0                   1.1.1.1         YES manual up                    down
Loopback0              11.0.0.1        YES manual up                    up
Loopback1              11.0.1.1        YES manual up                    up
Loopback2              11.0.2.1        YES manual up                    up
Loopback3              11.0.3.1        YES manual up                    up


R2#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        20.1.1.1        YES manual up                    up
Serial3/0                   1.1.1.2         YES manual up                    up
Loopback0              12.0.0.1        YES manual up                    up
Loopback1              12.0.1.1        YES manual up                    up
Loopback2              12.0.2.1        YES manual up                    up
Loopback3              12.0.3.1        YES manual up                    up



R1(config)#router ospf 10
R1(config-router)#router-id 11.11.11.11
R1(config-router)#network 1.0.0.0 0.255.255.255 area 0
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#network 11.0.0.0 0.0.0.255 area 0

R2(config)#router ospf 10
R2(config-router)#router-id 12.12.12.12
R2(config-router)#network 12.0.0.0 0.0.0.255 area 0
R2(config-router)#network 20.0.0.0 0.255.255.255 area 0

R2(config-router)#network 1.0.0.0 0.255.255.255 area 0


R1(config)#interface serial 3/0
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key internet


*Dec  5 12:09:31.047: %OSPF-5-ADJCHG: Process 10, Nbr 12.12.12.12 on Serial3/0 from FULL to DOWN, Neighbor Down: Dead timer expired

R2(config)#interface serial 3/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key internet


(ip ospf authentication command you can enable plaintext authentication on the
interface level.)



*Dec  5 12:16:37.095: %OSPF-5-ADJCHG: Process 10, Nbr 11.11.11.11 on Serial3/0 from LOADING to FULL, Loading Done

R1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

12.12.12.12       0   FULL/  -        00:00:39    1.1.1.2         Serial3/0

R2#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
11.11.11.11       0   FULL/  -        00:00:39    1.1.1.1         Serial3/0



(when we have  lots of interfaces do not want to enable OSPF authentication for
each  and every interfaces. we can also enable area-wide authentication by using  area
authentication command). 



lets see:-

R1(config)#router ospf 10
R1(config-router)#area 0 authentication
R1(config-router)#end


*Dec  5 12:27:32.931: OSPF-10 EVENT: Area config: 'area 0 authentication '

R2(config)#router ospf 10
R2(config-router)#area 0 authentication

R1#show ip ospf interface serial 3/0
Serial3/0 is up, line protocol is up
  Internet Address 1.1.1.1/8, Area 0, Attached via Network Statement
  Process ID 10, Router ID 11.11.11.11, Network Type POINT_TO_POINT, Cost: 64
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           64        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:00
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 12.12.12.12
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled





R2#show ip ospf interface serial 3/0
Serial3/0 is up, line protocol is up
  Internet Address 1.1.1.2/8, Area 0, Attached via Network Statement
  Process ID 10, Router ID 12.12.12.12, Network Type POINT_TO_POINT, Cost: 64
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           64        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:04
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 11.11.11.11
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled



MD5 in OSPF:-




MD5 authentication we need different commands. First of all we use ip ospf message-digest key
name md5 to specify the key num and the password. name and key number is not matter we can choose whatever name but it must be the same on both sites. To enable OSPF authentication we need
to type  ip ospf authentication message-digest.

 Topology:

 



GOAL:
  • we are continuing our previous topology
  • erase the simple authentication configuration
  • and configure MD5 





R1(config)#router ospf 11
R1(config-router)#router-id 11.11.11.11
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#network 1.0.0.0 0.255.255.255 area 0
R1(config-router)#network 11.0.0.0 0.0.0.255 area 0

R2(config)#router ospf 12
R2(config-router)#router-id 12.12.12.12
R2(config-router)#network 1.0.0.0 0.255.255.255 area 0
R2(config-router)#network 20.0.0.0 0.255.255.255 area 0
R2(config-router)#network 12.0.0.0 0.0.0.255 area 0




R1(config)# router ospf 11
R1(config-router)#  area 0 authentication message-digest
R1(config-router)#  exit


R1(config)#  interface serial 3/0
R1(config-if)#  ip ospf message-digest-key 1 md5 internet


R2(config)# router ospf 11
R2(config-router)#  area 0 authentication message-digest
R2(config-router)#  exit

R2(config)#  interface serial 3/0
R2(config-if)#  ip ospf message-digest-key 1 md5 internet



R1#show ip ospf interface serial 3/0
Serial3/0 is up, line protocol is up
  Internet Address 1.1.1.1/8, Area 0, Attached via Network Statement
  Process ID 11, Router ID 11.11.11.11, Network Type POINT_TO_POINT, Cost: 64
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           64        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:01
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 12.12.12.12
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1




R2#show ip ospf interface serial 3/0
Serial3/0 is up, line protocol is up
  Internet Address 1.1.1.2/8, Area 0, Attached via Network Statement
  Process ID 11, Router ID 12.12.12.12, Network Type POINT_TO_POINT, Cost: 64
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           64        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:04
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 11.11.11.11
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1





No comments:

PIM Sparse Mode

PIM Sparse Mode  ( PIM-SM )  PIM  Sparse Mode explicitly builds unidirectional shared trees rooted at a ( RP ) rendezvous point per...