Assignment 8 -OSPF Authentication Assignment

How OSPF authentication works and the most common methods

OSPF supports plain text authentication and Message Digest 5 (MD5) authentications. This is done by authenticating any routing updates when given between routers, which allows the routing protocols to avoid malicious or incorrect routing information from the routing table. Through this authentication, the routing protocols are allowed to exchange information to their next destination without complications.

There are three different types of authentication, Null, clear text, and cryptographic. The null authentication means that there is no authentication at all, which was completed in Lab 8.1. The second uses plain text authentication, where passwords are transferred in clear text in the network. Lastly, cryptographic authentication utilizes the open standard MD5 encryption.

Potential security issues related to OSPF if authentication is not used

OSPF is vulnerable to a few types of attacks, specifically LSA falsifications. These attacks do not rely on implementation vulnerabilities but all OSPF routers are vulnerable to these attacks through false LSA or non-persistent methods that don’t trigger the fight-back response. These types of attacks are known as self-LSA and other-LSA, where self-LSA happens when an attacker forces the victim router to send a false LSA on behalf of other routers within the same network. These attackers can evade and spoof the routing table for the whole OSPF routing domain, which is also known as fight-back evasions. Through this, the attacker can quietly change the view that other routers have for the AS topology and affect their routing tables.

A reason for the attacker to divert traffic away from the intended routers and towards the attacker’s goal could be for denial of service. There are a few strategies that result in a denial of service attack, resulting in the overload of a network and ultimate failure of connection. The first is churn, when changing traffic routes happen rapidly. Second, is delivery failure, where a portion of the network is mistaken and believes it is disconnected from the AS. A third option is long routes, where traffic is sent over very long routes to waste network resources. Lastly, routing loops are when traffic loops between two or more routers while drawing in network sources.

Configuring OSPF authentication

The following documentation displays the configuration required to set up OSPF authentication for each router.

To enable OSPF MDF authentication for routers:

#configure terminal
(config)#interface gigabitEthernet 0/0
(config-if)#ip ospf message-digest-key 1 md5 lily@123
(config-if)#exit
(config)#router ospf 1
(config-router)#area 0 authentication message-digest
(config-router)#exit

To enable clear text authentication for routers:

#configure terminal
(config)#intgigabitEthernet  0/0
(config-if)#ip ospf authentication-key secret
(config-if)#ip ospf authentication
(config-if)#show ip ospf interface gigabitEthernet 0/0