OSPF Authentication Explained and Configuration on Nexus switches

We want to configure authentication on OSPFv2 messages to prevent unauthorized or invalid routing updates

For OSPF Authentication, we have mainly 2 options:

  • Simple password authentication
  • MD5 authentication digest (preferred)


Lab topology:


Simple password Authentication

uses a simple cleartext password that is sent as part of the OSPFv2 message. The receiving OSPFv2 router must be configured with the same cleartext password to accept the OSPFv2 message as a valid route update.

Configuration:

NX7k-01# 

interface Ethernet1/2
  no switchport
  ip address 192.168.20.1/30
  ip ospf authentication
  ip ospf authentication-key learndut
  ip router ospf 10 area 0.0.0.0
  no shutdown

router ospf 10
  router-id 1.1.1.1
version 9.3(9) Bios:version

NX7k-02# 

interface Ethernet1/2
  no switchport
  ip address 192.168.20.2/30
  ip ospf authentication
  ip ospf authentication-key learndut
  ip router ospf 10 area 0.0.0.0
  no shutdown

router ospf 10
  router-id 2.2.2.2


This option is not recommended from security perspective, because the password is in cleartext, anyone who can watch traffic on the network can learn the password.

This can easily illustrated from a Wireshark capture and you can see the password “learndut” in the OSPF header:



MD5 authentication digest

For more security, you should use MD5 authentication to authenticate OSPFv2 messages.

You configure a password that is shared at the local router and all remote OSPFv2 neighbors. For each OSPFv2 message, Cisco NX-OS creates an MD5 one-way message digest based on the message itself and the encrypted password:

1- The interface sends a digest with the OSPFv2 message (based on the OSPF message & the encrypted password)

2- The receiving OSPFv2 neighbor validates the digest using the same encrypted password: If the message has not changed, the digest calculation is identical and the OSPFv2 message is considered valid.


Configuration:

We need to create the key chain for this authentication configuration.

What is Key chain: A key chain is a list of keys. Each key consists of a key string, which is also called the password or passcode. A key-string is essential for a key to be operational. Each key is identified by a unique key ID. To authenticate the OSPFv2 packets, it is essential that the cryptographic authentication algorithm be configured with a key.

The authentication key on a key chain is valid for a specific time period called lifetime. An SA has the following configurable lifetimes:

  • Accept lifetime
  • Send lifetime

When key chain has more than one key, OSPF selects the key that has the maximum life time. Key having an infinite lifetime is preferred. If keys have the same lifetime, then key with the higher key ID is preferred.

NX7k-01# 

key chain learnduty
  key 1
    key-string cisco

interface Ethernet1/2
  no switchport
  ip address 192.168.20.1/30
  ip ospf authentication message-digest
  ip ospf authentication key-chain learnduty
  ip router ospf 10 area 0.0.0.0
  no shutdown

router ospf 10
  router-id 1.1.1.1
  area 0.0.0.0 authentication message-digest
NX7k-01# 

key chain learnduty
  key 1
    key-string cisco

interface Ethernet1/2
  no switchport
  ip address 192.168.20.2/30
  ip ospf authentication message-digest
  ip ospf authentication key-chain learnduty
  ip router ospf 10 area 0.0.0.0
  no shutdown

router ospf 10
  router-id 1.1.1.1
  area 0.0.0.0 authentication message-digest


Checking again the Wireshark capture for this authentication method:

We can see that Auth Type is Cryptographic along with a key ID and a non-decreasing sequence number:

  • MD5 authentication includes a sequence number with each OSPFv2 message to ensure that no message is replayed in the network (prevents replay attacks).
  • This method uses the MD5 algorithm to compute a hash value from the contents of the OSPF packet and a password (or key).
  • The receiver, which knows the same password, calculates its own hash value. If nothing in the message changes, the hash value of the receiver must match the hash value of the sender which is transmitted with the message.


Verification:


NX7K-02(config-if)# show ip ospf  neighbors
 OSPF Process ID 10 VRF default
 Total number of neighbors: 1
 Neighbor ID     Pri State            Up Time  Address         Interface
 1.1.1.1           1 FULL/DR          00:00:36 192.168.20.1    Eth1/2


Reference: Cisco.com

Bilel

Bilel

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
Learn Duty
0
Would love your thoughts, please comment.x
()
x