Today I looked at ospf authentication it has 3 types of authentication which will be referenced in the Autype
0= Null
1= Clear text
2=md5
can be enabled on all links in the area- globally undert the router ospf process
or
o per link basis (interface level)
Null = no password
clear text= clear string text send over the network so is open to packet sniffing attacks
md5= md5 hash sent over the network not easy to obtain via packet sniffing
The ospf key id is always applied at interface level + must match across all routers
Virtual link are Area 0
To enable globally use
router ospf "process id"
area "area id" authentication/message digest
this will enable ospf authentication on all links in that area id
to enable on per link
int "interface id"
ip ospf authentication/message-digest
for clear text
ip ospf authentication-key "password"
or for md5
ip ospf message-digest-key "password"
you can use
sh ip ospf int- you will see what authentication type is running
Whitespaces are taken as charachters
The above would enable ospf authentication only on the particular specfied link
If both gloabally and interface are on interface will take priority
The ospf password does not have to be the same throughout the entire area but it does need to be the same between confgured neighbors.
LAB
---
For the lab we will have bb2 - sw2- r2 all in area 1
S2
===
so on s2 we have full adjacency with both bb2 (22.22.22.22) and r2 (222.222.222.222)
switch2#sh
00:11:44: %SYS-5-CONFIG_I: Configured from console by console ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
22.22.22.22 1 FULL/DR 00:00:37 10.164.49.2 FastEthernet0/
24
so s2 has no authentication set
222.222.222.222 0 FULL/ - 00:00:37 172.25.13.1 FastEthernet0/
2
if you look at sh ip ospf int there is not mention of authentication
switch2#sh ip ospf int fa0/24
FastEthernet0/24 is up, line protocol is up (connected)
Internet Address 10.164.49.1/24, Area 1
Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 22.22.22.22, Interface address 10.164.49.2
Backup Designated router (ID) 2.2.2.2, Interface address 10.164.49.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Supports Link-local Signaling (LLS)
Index 3/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 22.22.22.22 (Designated Router)
Suppress hello for 0 neighbor(s)
Ok for the area we will switch on switch2(config-router)#router ospf 1
switch2(config-router)#area 1 authentication
switch2(config-router)#exit
switch2#sh ip
00:19:15: %SYS-5-CONFIG_I: Configured from console by console ospf int
FastEthernet0/24 is up, line protocol is up (connected)
Internet Address 10.164.49.1/24, Area 1
Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 22.22.22.22, Interface address 10.164.49.2
Backup Designated router (ID) 2.2.2.2, Interface address 10.164.49.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Index 3/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 22.22.22.22 (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
we can see we have simple password authentication enabled our neighbor relationships
have gone down
switch2#sh ip ospf neigh
switch2#
switch2#debug ip ospf adj
OSPF adjacency events debugging is on
switch2#
00:21:59: OSPF: Rcv pkt from 172.25.13.1, FastEthernet0/2 : Mismatch Authentication
type. Input packet specified type 0, we use type 1
00:22:02: OSPF: Rcv pkt from 10.164.49.2, FastEthernet0/24 : Mismatch Authentication
type. Input packet specified type 0, we use type 1
00:22:09: OSPF: Rcv pkt from 172.25.13.1, FastEthernet0/2 : Mismatch Authentication
type. Input packet specified type 0, we use type 1
00:22:12: OSPF: Rcv pkt from 10.164.49.2, FastEthernet0/24 : Mismatch Authentication
type. Input packet specified type 0, we use type 1
we can see we are recieving packets with type 0 authentication which null or no
authenication and we are using type 1 which is clear text even though we have not set
any password it is a mismatch authentication type our authentication is simple
password clear text with blank password
if on bb2
i enable just simple password on the interface the neighbor relationship should come
up
BB2
-----
bb2(config)#int ethernet 0
bb2(config-if)#ip ospf authentication
bb2(config-if)#exit
bb2(config)#exit
00:24:57: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Ethernet0 from LOADING to FULL,
Loading Done
bb2#
both our now using blank passwords simple password authentication so it comes up
Now we will try ob BB2 setting a pasword
bb2(config)#int ethernet 0
bb2(config-if)#ip ospf authen?
authentication authentication-key
bb2(config-if)#ip ospf authentication-key ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key)
bb2(config-if)#ip ospf authentication-key 0 ?
LINE The OSPF password (key)
bb2(config-if)#ip ospf authentication-key 0 CISCO
bb2(config-if)#exit
bb2(config)#exit
bb2#de
00:27:07: %SYS-5-CONFIG_I: Configured from console by consolebug ip ospf adj
OSPF adjacency events debugging is on
bb2#
00:27:13: OSPF: Rcv pkt from 10.164.49.1, Ethernet0 : Mismatch Authentication Key -
Clear Text
00:27:33: OSPF: Rcv pkt from 10.164.49.1, Ethernet0 : Mismatch Authentication Key -
Clear Text
00:27:43: OSPF: Rcv pkt from 10.164.49.1, Ethernet0 : Mismatch Authentication Key -
Clear Text
00:27:53: OSPF: Rcv pkt from 10.164.49.1, Ethernet0 : Mismatch Authentication Key -
Clear Text
00:28:03: OSPF: Rcv pkt from 10.164.49.1, Ethernet0 : Mismatch Authentication Key -
Clear Text
00:28:13: OSPF: Rcv pkt from 10.164.49.1, Ethernet0 : Mismatch Authentication Key -
Clear Text
So we are getting mismatch authentication key and our neighbor relationship has gone
down
if we back on s2
S2
---
switch2(config)#int fa0/24
switch2(config-if)#ip ospf authentication ?
message-digest Use message-digest authentication
null Use no authentication
<cr>
switch2(config-if)#ip ospf authentication-key ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key) (maximum 8 characters)
switch2(config-if)#ip ospf authentication-key 0 CISCO
switch2(config-if)#
00:29:23: %OSPF-5-ADJCHG: Process 1, Nbr 22.22.22.22 on FastEthernet0/24 from LOADING
to FULL, Loading Done
we can see once it match the neighbor relationship comes backup
ok now on r2 we will set md5 authetication on the interface
r2
--
r2(config)#int fa0/0
r2(config-if)#ip ospf authentication message-digest
r2(config-if)#ip ospf message-digest-key 2 md5 0 CISCO
r2#debug ip ospf adj
OSPF adjacency events debugging is on
r2#
*Mar 1 03:28:02.759: OSPF: Send with youngest Key 2
*Mar 1 03:28:03.099: OSPF: Rcv pkt from 172.25.13.2, FastEthernet0/0 : Mismatch
Authentication type. Input packet specified type 1, we use type 2
we can see from the debug we are using type 2 md5 authentication and sw2 is using
clear text ( as we set on s1 globally in the router ospf process for area 1 all
interfaces in area 1 have clear text authentication on)
s2
---
we will set md5 on the int connecting to r2 so we will see if interface level command
overrides the global command
switch2#sh ip ospf int fa0/2
FastEthernet0/2 is up, line protocol is up (connected)
Internet Address 172.25.13.2/24, Area 1
Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
switch2#
we can see at the moment simple password authentication is set on fa0/2 as we enabled
globally
switch2(config)#int fa0/2
switch2(config-if)#ip ospf authentication message-digest
switch2(config-if)#ip ospf message-digest-key 2 md5 0 CISCO
switch2(config-if)#
it is still not coming up
switch2#sh ip ospf int fa0/2
FastEthernet0/2 is up, line protocol is up (connected)
Internet Address 172.25.13.2/24, Area 1
Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:03
Supports Link-local Signaling (LLS)
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
event though md5 is set
switch2#debug ip ospf adj
OSPF adjacency events debugging is on
switch2#
00:43:59: OSPF: Rcv pkt from 172.25.13.1, FastEthernet0/2 : Mismatch Authentication
Key - Message Digest Key 2
00:43:59: OSPF: Send with youngest Key 2
switch2#
we have a mismatch key key
the problem is on my command on s2 i had a blank space before the password of cisco
switch2(config-if)#no ip ospf message-digest-key 2 md5 0 CISCO
switch2(config-if)#ip ospf message-digest-key 2 md5 0 CISCO
switch2(config-if)#exit
once corrected the adjacency comes up
ok so if configured on interface it will override the global process lets configure
md5 area wide on sw2
switch2(config)#router ospf 1
switch2(config-router)#area 1 authentication message-digest
switch2(config-router)#
ok now on bb2
bb2
----
bb2(config)#int ethernet 0
bb2(config-if)#ip ospf authentication message-digest
bb2(config-if)#ip ospf message-digest-key 2 md5 0 CISCO
bb2(config-if)#
bb2#debug ip ospf adj
OSPF adjacency events debugging is on
bb2#
00:52:04: OSPF: Rcv pkt from 10.164.49.1, Ethernet0 : Mismatch Authentication Key -
No message digest key 0 on interface
00:52:07: OSPF: Send with youngest Key 2
00:52:14: OSPF: Rcv pkt from 10.164.49.1, Ethernet0 : Mismatch Authentication Key -
No message digest key 0 on interface
we are recieving a key of 0 and sendig a key of 1 we never configured a key on the
interface of s2 so it default to key 0 and password of blank
to fix we could
bb2(config)#int ethernet 0
bb2(config-if)#no ip ospf message-digest-key 2 md5 0 CISCO
bb2(config-if)#ip ospf authentication message-digest
00:53:37: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Ethernet0 from LOADING to FULL,
Loading Done
bb2(config-if)#
we take of our configured message-digest key but leave on message-digest
authentication this defaults the key to key o with no password same as s2 so they can
now form relationship
bb2#sh ip ospf int
Loopback0 is up, line protocol is up
Internet Address 22.22.22.22/32, Area 1
Process ID 1, Router ID 22.22.22.22, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
Ethernet0 is up, line protocol is up
Internet Address 10.164.49.2/24, Area 1
Process ID 1, Router ID 22.22.22.22, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 22.22.22.22, Interface address 10.164.49.2
Backup Designated router (ID) 2.2.2.2, Interface address 10.164.49.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:08
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
No key configured, using default key id 0
bb2#
No comments:
Post a Comment