Let’s continue on from yesterday’s lab, “Configuring Basic OSPF“. We’ve had a new requirement added to our original design: authenticated OSPF.
Our security team has decided that it is a potential security risk to run unauthenticated OSPF across our network backbone and have asked us to implement a secure method of sending OSPF updates.
OSPF authentication comes in two forms: plain-text and MD5. Because a “secure method” was specified, we have to use MD5 authentication in our environment (plain-text is not “secure”).
Using “pwgen” on an Ubuntu Linux box (“sudo apt-get install pwgen”), I came up with a random key of “xooph8MuBaeph5ee”. This is the authentication key I’ll use for OSPF. You are, of course, free to use something else (and encouraged to do so!).
Since we already have an environment up and running (see the “Configuring Basic OSPF” lab), we just need to add OSPF authentication to our configs and then verify proper operation. Let’s get started.
The actual configuration to enable OSPF authentication is pretty simple. There’s a quick two-part process: 1) create our authentication key (per interface) and 2) tell OSPF to use this authentication key. We’ll knock them both out at once on each router:
ISP# configure terminal ISP(config)# interface fastethernet 0/0 ISP(config-if)# ip ospf message-digest-key 1 md5 xooph8MuBaeph5ee ISP(config-if)# router ospf 1 ISP(config-router)# area 0 authentication message-digest ISP(config-router)# end ISP#
Shortly after entering the above configuration, you should have noticed that both of your adjacencies (to Remote1 and Remote2) went from “FULL” to “DOWN”. This is because the ISP router is now sending authenticated OSPF updates and is expecting to receive them as well. Let’s configure the Remote1 router:
REMOTE1# configure terminal REMOTE1(config)# interface fastethernet 0/0 REMOTE1(config-if)# ip ospf message-digest-key 1 md5 xooph8MuBaeph5ee REMOTE1(config-if)# router ospf 1 REMOTE1(config-router)# area 0 authentication message-digest REMOTE1(config-router)# end REMOTE1#
What we see on Remote1 is a bit different. After entering the configuration, we should notice two things. First, the adjacency with Remote2 will go down (for the same reasons as with ISP router above). In addition, we should see the adjacency with the ISP router come back up as both are now sending (and expecting to receive) authenticated updates.
If we run “show ip ospf neighbor” on each router, we should see that ISP and Remote1 have an adjacency formed but that Remote2 does not have any adjacencies. Let’s verify this:
ISP# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.10.10.3 254 FULL/BDR 00:00:36 10.10.10.3 FastEthernet0/0 ISP#
REMOTE1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.10.10.1 255 FULL/DR 00:00:32 10.10.10.1 FastEthernet0/0 REMOTE1#
REMOTE2# show ip ospf neighbor REMOTE2#
All we need to do to get all of our adjacencies back up is to configure OSPF authentication on Remote2 just like we did the other two routers. We should then see our adjacencies form again:
REMOTE2# configure terminal REMOTE2(config)# interface fastethernet 0/0 REMOTE2(config-if)# ip ospf message-digest-key 1 md5 xooph8MuBaeph5ee REMOTE2(config-if)# router ospf 1 REMOTE2(config-router)# area 0 authentication message-digest REMOTE2(config-router)# end REMOTE2#
And, indeed, we’ll see the adjacencies form. By looking at the output of “show ip route” we can verify convergence, but how can be know that authentication is actually being used?
Let’s run a “debug ip ospf adj” on ISP router and take a look at the output:
ISP# debug ip ospf adj OSPF adjacency events debugging is on ISP# *Mar 1 00:28:18.055: OSPF: Send with youngest Key 1 ISP# *Mar 1 00:28:28.055: OSPF: Send with youngest Key 1 ISP# *Mar 1 00:28:38.055: OSPF: Send with youngest Key 1 ISP# *Mar 1 00:28:48.055: OSPF: Send with youngest Key 1 ISP#undebug all All possible debugging has been turned off ISP#
Success! We’ve now added authentication to our OSPF updates which will make our security team happy — and now they owe us a beer!