- Agenda
- 1. OSPFv2 packet header & supported authentication methods.
- 2. A strategy for securing OSPFv2 routing information with authentication in environments using IPv4.
- 3. OSPF version 3 packet header and supported authentication methods.
- 4. A strategy for securing OSPFv3 routing information with authentication in environments using IPv6.
- Conclusion
- Team Members
- References
- Original Presentation
- Subscribe to my newsletter today
The implementation of OSPF authentication helps us to mitigate security threats related to the OSPF routing protocol. An attacker can make use of OSPF packets to gain unauthorized access to a network if the packets are not protected by the correct implementation of authentication. OSPF authentication can be found within the OSPF packet header which is included with all OSPF packet types. We will have a primary focus on OSPFv2 whilst mentioning changes in OSPFv3 authentication.
Agenda
- OSPF version 2 packet header and supported authentication methods
- A strategy for securing OSPF version 2 routing information with authentication in environments using IPv4.
- OSPF version 3 packet header and supported authentication methods.
- A strategy for securing OSPF version 3 routing information with authentication in environments using IPv6.
1. OSPFv2 packet header & supported authentication methods.
OSPF v2 Packet Header
The OSPFv2 packet header is included with all OSPF packet types. OSPF version 2 supports various methods of authentication, thus there is a field AuType, indicating the configured authentication type and authentication fields to carry the authentication data.
Null authentication
- The null authentication type (0) denotes routing exchanges that are not authenticated.
- The authentication field will be empty.
- Due to the authentication field being empty, a router will not inspect the authentication field when it receives the packet.
- A checksum is used to detect data corruption, excluding the authentication field. (auth data)
Simple password authentication
- The simple password authentication type (1) is also known as plaintext authentication.
- It is a clear 64-bit password.
- This type of authentication helps to mitigate the threats of routers unintentionally joining a routing domain.
- It requries each router to be configured before it can participate.
- Simple password authentication is vulnerable to passive attacks such as sniffing, thus anyone with physical access can learn the password, affecting the security of the network.
Cryptographic Authentication
- With cryptographic authentication type (2) a secret key is configured on all of the routers participating in ospf for the interface/area.
- The key is used to generate/verify a message digest.
- The algorithm used to generate and verify the message digest are specified by the secret key. (MD5)
- Passive attacks are mitigated since the password is never sent over the network in clear form.
- Additionally, a non-decreasing sequence number is added to protect against replay attacks.
2. A strategy for securing OSPFv2 routing information with authentication in environments using IPv4.
- OSPF authentication can be implemented as interface or area specific configuration.
- Our strategy involves making use of area specific configuration with the cryptographic authentication type at the routers forming part of area 0. (Simple towards non backbone areas)
- The simple authentication type is still more secure than null authentication as it prevents routers from unintentionally taking part in ospf routing for the area.
- Additionally, other routers not forming part of area 0 are configured with interface specific authentication and the simple authentication type.
- *It should be noted that cryptographic authentication can be used in all areas if there is a stricter set of requirements and policies.
R1 Configuration
OSPF Process Configuration
Interface Configuration
Authentication Verification
R2 Configuration
OSPF Process Configuration
Interface Configuration
Authentication Verification
R3 Configuration
OSPF Process Configuration
Interface Configuration
Authentication Verification
3. OSPF version 3 packet header and supported authentication methods.
Changes within OSPFv3 packet header
OSPFv3 does not natively support authentication as it has been removed from the protocol. Both the Authentication type and Authentication fields have been removed.
- OSPFv3 utilizes the IP Authentication Header and the IP Encapsulating Security Payload to ensure the confidentiality and integrity of routing exchanges are maintained.
- OSPFv3 neighbor authentication does not use Internet Key Exchange to form the IPsec security association values.
- Due to this we need to manually configure the IPsec SPI has algorithm and keys.
OSPFv3 Wireshark Capture
Configured with Authentication Header
- We can see that the authentication header used for authentication is present in the packet.
- We can also see that the OSPF header has changed in OSPFv3 as the fields used for authentication by OSPFv2 have been completely removed.
Configured with ESP Header
- We can see that the ESP header used is present, providing authentication and encryption by encapsulating the routing information.
4. A strategy for securing OSPFv3 routing information with authentication in environments using IPv6.
- We use area specific configuration on R2 and R3 as they form part of the backbone area.
- Furthermore, we use interface specific configureation on R1
- We implemented OSPFv3 authentication with our configuration, making use of the IPv6 authentication header and the SHA-1 hashing algorithm.
R1 Configuration
OSPF Process Configuration
Interface Configuration
R2 Configuration
OSPF Process Configuration
Interface Configuration
R3 Configuration
OSPF Process Configuration
Interface Configuration
Conclusion
- The implementation of OSPF authentication helps us to mitigate security threats related to the OSPF routing protocol.
- OSPFv2 authentication is configured using authentication data and authentication type fields found within the OSPFv2 packet header.
- OSPFv3 authentication takes place through the utilization of IP Encapsulating Security Payload and IP authentication header.
- Understanding the different types of authentication supported by OSPF is of great importance to maintain integrity and confidentiality within a business networking environment.
Team Members
- Ettienne Nell
References
Software Tools Used
learn.microsoft.com. (2024, 09 06). Introduction to Hyper-V on Windows. Retrieved from Microsoft Learn: https://learn.microsoft.com/en-us/virtualization/hyperv-on-windows/about/
www.brandcrowd.com. (2024, 09 06). BrandCrowd Logo Maker. Retrieved from https://www.brandcrowd.com/logo-maker
www.gns3.com. (2024, 09 06). Download GNS3. Retrieved from www.gns3.com: https://www.gns3.com/software/download
www.gns3.com. (2024, 09 06). GNS3 VM for Microsoft Hyper-V. Retrieved from www.gns3.com: https://www.gns3.com/software/download-vm
www.microsoft.com. (2024, 09 06). Microsoft. Retrieved from Windows 11 Professional Edition: https://www.microsoft.com/en-us/d/windows-11-pro/dg7gmgf0d8h4
www.wireshark.org. (2024, 09 06). Wireshark :Download Page. Retrieved from Download Page: https://www.wireshark.org/download/win64/
References
Edgeworth, B., & Lacoste, R. (2023, October). CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide, 2nd Edition | Chapter 6. OSPF, Authentication (Level 1 Section 8). Retrieved 09 06,
2024, from learning.oreilly.com: https://learning.oreilly.com/library/view/ccnp-enterpriseadvanced/9780138217570/ch06.xhtml#ch06lev1sec8
Edgeworth, B., & Lacoste, R. (2023, October). CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide, Second Edition | Chapter 9. OSPFv3, OSPFv3 Configuration (Level 1 Section 4).
Retrieved 09 06, 2024, from learning.oreilly.com: https://learning.oreilly.com/library/view/ccnp enterpriseadvanced/9780138217570/ch09.xhtml#ch09lev1sec4
Ferguson, D., Lindem, A., & Moy, J. (2008, July). RFC 5340 OSPF for IPv6 | 2. Differences from OSPF for IPv4 2.6. Authentication Changes pp. 7 – 8. Retrieved 09 06, 2024, from Internet Engineering Task Force (IETF) Data Tracker: https://datatracker.ietf.org/doc/rfc5340/
Ferguson, D., Lindem, A., & Moy, J. (2008, July). RFC 5340 OSPF for IPv6 | Appendinx A. OSPF Data Formats A.3.1 The OSPF Packet Header p. 60. Retrieved 08 07, 2024, from Internet Engineering Task Force (IETF) Data Tracker: https://datatracker.ietf.org/doc/rfc5340/
Moy, J. (1998, April). RFC 2328 OSPF Version 2 | Appendix A.3 OSPF Packet Formats A.3.1 The OSPF packet header p. 190 – 192. Retrieved 09 06, 2024, from Internet Engineering Task Force (IETF) Data
Tracker: https://datatracker.ietf.org/doc/rfc2328/ Moy, J. (1998, April). RFC 2328 OSPF Version 2 | Appendix D. A