OSPF v2 security¶
Security problems could lead to DoS if falsified routing information are exchanged between routers.
Turbo CG-NAT OSPF v2 implementation supports two kinds of authentication, plain text authentication and more secure MD5 authentication.
Note
If this option is adopted, then it must be configured in the whole area. For plain text authentication, passwords must be the same between neighbors.
OSPF authentication configuration¶
Configuring plain text authentication¶
For each interface, type the following command at the interface level:
vrf main
routing interface eth0_0
ip ospf authentication simple
ip ospf authentication-key secret
..
..
The secret
password is being used in the OSPF header of OSPF messages, and is in
clear form.
Enable ospf authentication in the corresponding area, in the router ospf context.
vrf main
routing ospf
area 0 authentication
..
..
Remove the authentication password:
vrf main
routing interface eth0_0
del ip ospf authentication-key
del ip ospf authentication
..
..
routing ospf
del area 0 authentication
..
..
Configuring MD5 authentication¶
For each interface, type the following command at the interface level:
vrf main
routing interface eth0_0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 d215
..
..
A key identifier is carried in OSPF messages, along with authentication crypted data, and area identifier ( by default backbone).
Enable context authentication in the corresponding area, in the router
ospf
context.
vrf main
routing ospf
area 0 authentication message-digest true
Remove the OSPF authentication and MD5 authentication secret:
vrf main routing interface eth0_0 del ip ospf authentication del ip ospf message-digest-key 1 .. .. routing ospf del area 0 authentication .. ..
Filtering OSPF¶
Like for BGP protocol, it is possible to apply filtering thanks to route map. Below example illustrates what can be done by using Prefix List. OSPF will be configured to redistribute BGP entries, however some filtering will be applied.
Specify the prefix-list and route-map:
vrf main
routing
ipv4-prefix-list plist
seq 1 address 10.100.0.0/24 policy permit
seq 2 address 10.200.0.0/24 policy deny
seq 3 address 10.150.0.0/24 policy permit
..
route-map rmap seq 1 plicy permit
route-map rmap seq 1 match ip address prefix-list plist
..
Configuration of a BGP instance that peers with remote located outside of OSPF area.
vrf main
routing bgp
as 55
router-id 1.1.1.1
neighbor 10.110.0.10 remote-as 55
..
..
Subsequently, some BGP routing entries will be learnt from remote.
rt1> show bgp ipv4 unicast
BGP table version is 9, local router ID is 1.1.1.1, vrf id 0
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i10.100.0.0/24 10.110.0.10 0 100 0 i
*>i10.150.0.0/24 10.110.0.10 0 100 0 i
*>i10.200.0.0/24 10.110.0.10 0 100 0 i
Displayed 3 routes and 3 total paths
Configure the route redistribution with the route-map filtering:
vrf main
routing ospf
redistribute bgp route-map rmap
Subsequently, the rt1 device has imported filtered BGP route entries.
rt1> show ospf database default
OSPF Router with ID (1.1.1.1)
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Link count
1.1.1.1 1.1.1.1 127 0x80000004 0xbf9a 1
AS External Link States
Link ID ADV Router Age Seq# CkSum Route
10.100.0.0 1.1.1.1 630 0x80000001 0xc2ff E2 10.100.0.0/24 [0x0]
10.150.0.0 1.1.1.1 621 0x80000001 0x6828 E2 10.150.0.0/24 [0x0]