Authentication

OSPF Authentication Enhancements

Today we will discuss the enhancements made in OSPF authentication.   As mentioned in a previous post, now is possible the use of SHA encryption with OSPF as described in RFC 5709.

There are two major enhancements described in the RFC:

  • OSPF SHA Cryptographic Authentication
  • OSPF Key Chain Based Authentication

Despite the improvements, the RFC does not define a new Authentication Type.  OSPF still use the typical Type-0 (Null), Type-1 (Simple Password) and Type-2 (Cryptographic) authentications.  However defines new Cryptographic Algorithms for Type-2:

  • HMAC-SHA-1
  • HMAC-SHA-256
  • HMAC-SHA-384
  • HMAC-SHA-512

Using key chains allows for multiple enhancements for the Authentication such:

  • Multiple keys can be defined.
  • A single key chain can be used for multiple interfaces.
  • Allow automatic time-based key rotation.

I should also mention that key chains are backwards compatible with the interface level Type 2 (MD5) authentication and the rule of key number and password must match between routers still applies.

In order to use the OSPF authentication enhancements described above, Only two steps are required:

  1. Configure the Key Chain.
  2. Associate the Key Chain to an interface.

Key Chain Configuration

To configure key chains the following steps must be followed:

  1. Define the key chain name to be used.

key chain {key chain-name}

  1. Configure a key identifier.

key {0-2147483647}

  1. Configure the password to be used.

key-string {password}

  1. Configure the Cryptographic Algorithm to be used.

cryptographic-algorithm {crypto-algorithm}

  1. (OPTIONAL) Time Interval.  This is used for key chain rotation.

accept-lifetime {start-time} {start-date} {end-time} {end-date | infinite}

send-lifetime {start-time} {start-date} {end-time} {end-date | infinite}

Key-chain configuration example:

!
key chain testkey1
key 1
key-string cisco123
cryptographic-algorithm hmac-sha-1
end
!

In this example the key chain testkey1 was configured in the router with a single key (1), with password cisco123 and the Cryptographic Algorithm selected was HMAC-SHA-1.   The key is valid immediately and has no expiration.

Key-chain configuration example with time-based key rotation:

!
key chain testkey2
key 1
key-string cisco123
cryptographic-algorithm hmac-sha-1
accept-lifetime 00:00:00 Jan 1 2016 00:15:00 Jun 1 2016
send-lifetime 00:00:00 Jan 1 2016 00:00:00 Jun 1 2016
key 2
key-string cisco321
cryptographic-algorithm hmac-sha-1
accept-lifetime 23:45:00 May 31 2016 infinite
send-lifetime 00:00:00 Jun 1 2016 infinite
end
!

In this example, the router will accept key 1 with password cisco123, until 12:15 AM on June 1, 2016.  The router will send this same key until 12:00 AM on the same date (June 1, 2016).  Also, the router will start accepting key 2 with password cisco321, at 11:45 PM on May 31, 2016.  Worth to mention key chain rotation depends on accurate time and date on the devices.

To verify the key chain, use the show key chain {keychain-name} command.

OSPF-AUTH-KeyChain-Simple

OSPF-AUTH-KeyChain-Rotation

Key Chain Association

This is the final step of the configuration.  To associate the Key Chain to the interface, use the command ip ospf authentication key-chain {key chain-name}.   Remember, a single key chain can be used for multiple interfaces.

!
interface Ethernet0/0
ip ospf authentication key-chain mykey
!

OSPF Enhanced Authentication configuration Example:

For this example I will use the following scenario:

The network is currently doing authentication using MD5 Encryption (Type 2) between R1 and R3 and the authentication used for R1, R2 and R3 are Simple Passwords (Type-1).

 

A new change was requested by the Information Security team to increase the level of encryption along the network as follows:

  1. For the segment between R1, R2 and R4 use SHA-1 with password cisco421
  2. For the segment between R1 and R3 use SHA-256 with password cisco31
  3. The DUE date to complete the change is Jun 1, 2016

So let’s do it!

First let’s take a quick look only to the relevant configuration:

R1:

!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.124.1 255.255.255.0
ip ospf authentication-key cisco124
!
interface Ethernet0/1
ip address 192.168.13.1 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco13
ip ospf network point-to-point
!
router ospf 1
router-id 0.0.0.1
area 0 authentication
network 1.1.1.1 0.0.0.0 area 0
network 192.168.13.1 0.0.0.0 area 0
network 192.168.124.0 0.0.0.255 area 0
!
ntp master 1
!

R2:

!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.124.2 255.255.255.0
ip ospf authentication
ip ospf authentication-key cisco124
!
interface Ethernet0/1
ip address 172.16.20.2 255.255.255.0
!
router ospf 1
router-id 0.0.0.2
network 2.2.2.2 0.0.0.0 area 0
network 172.16.20.0 0.0.0.255 area 0
network 192.168.0.0 0.0.255.255 area 0
!
ntp server 192.168.124.1
!

R3:

!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.13.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco13
ip ospf network point-to-point
!
interface Ethernet0/1
ip address 172.16.30.3 255.255.255.0
!
router ospf 1
router-id 0.0.0.3
network 3.3.3.3 0.0.0.0 area 0
network 172.16.30.0 0.0.0.255 area 0
network 192.168.13.2 0.0.0.0 area 0
!
ntp server 192.168.13.1
!

R4:

!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 0
!
interface Ethernet0/0
ip address 192.168.124.4 255.255.255.0
ip ospf authentication
ip ospf authentication-key cisco124
ip ospf 1 area 0
!
interface Ethernet0/1
ip address 172.16.40.4 255.255.255.0
ip ospf 1 area 0
!
router ospf 1
router-id 0.0.0.4
!
ntp server 192.168.124.1
!

In the above output we can see that R1 has a simple password authentication configured directly to the area, while the crypto authentication is applied directly to the interface that connects to R3.

The other routers have configured the authentication parameters directly on the interface. Please also note R1 is acting as Clock Server for all routers in the network.

After checking the clock in all routers, we have determined that a possible solution is implementing extended authentication with rotary passwords for the segment between R3 and R1.   Using this solution, we can switch the crypto algorithm without loose connectivity.

Unfortunately we cannot use the same solution for routers 1, 2 and 4.  The reason is because Enhanced Authentication is intended only for Type-2 Authentications.

First let’s configure the key chain to be used for the link between R3 and R1 using rotary passwords.

!
key chain R3-TO-R1
key 1
key-string cisco13
cryptographic-algorithm md5
accept-lifetime 00:00:00 Jan 1 2016 00:15:00 Jun 1 2016
send-lifetime 00:00:00 Jan 1 2016 00:00:00 Jun 1 2016
key 2
key-string cisco31
cryptographic-algorithm hmac-sha-256
accept-lifetime 23:45:00 May 31 2016 infinite
send-lifetime 00:00:00 Jun 1 2016 infinite
end
!

The above key chain meets the requirements.  It will maintain the connectivity using the current MD5 encryption algorithm until 15 minutes after midnight in June 1 (Key 1) and will also start accepting SHA-256 from May 31 at 23:45 hours (Key 2).

We can use the same key chain in both routers, R3 and R1.   Lastly we have to assign the key chain to the interface connecting both routers.

R3:

!
interface Ethernet0/0
ip ospf authentication key-chain R3-TO-R1
!

R1:

!
interface Ethernet0/1
ip ospf authentication key-chain R3-TO-R1
!

Now let’s verify the results of this configuration:

OSPF-AUTH-1

OSPF-AUTH-2

As can be seen in the above output, the current valid key is Key 1, with the current authentication.   The interface output shows the key chain (R3-TO-R1) association.

Now let’s configure the authentication settings for the segment between R1, R2 and R4.

!
key chain R1-R2-R4
key 1
key-string cisco421
cryptographic-algorithm hmac-sha-1
end
!

As can be seen in the above configuration, the key chain was created with key 1 for SHA-1 with the password cisco421.   By default the key chain will set the “accept” and “send” lifetime as always valid if is not manually set.

OSPF-AUTH-3

All three, routers, R1, R2 and R3 are connected to the segment 192.168.124.0/24 using the interface Ethernet0/0.   The final step would be applying the same key chain in all three routers and enable the key chain to the interface Ethernet0/0.   Remember, in this case when moving from Type 1 to Enhanced Type 2 authentications, the change may be disruptive.   You have 40 seconds (OSPF default dead timer) before the router declare its neighbors down.

So finally let’s associate the interface to the routers 1, 2 and 4:

!
interface Ethernet0/0
ip ospf authentication key-chain R1-R2-R4
!

Let’s take a look to the output of show ip ospf interface Ethernet0/0 and Ethernet 0/1 in R1:

OSPF-AUTH-4

OSPF-AUTH-5

R1 as shown above is now doing authentication SHA-1 in the interface Ethernet0/0 as requested.  The interface Ethernet0/1 connecting with R3 is still doing Authentication MD5.

Finally let’s test the configuration with rotary authentication.   For this purpose I’ll manually set the clock to 23:46:00 May 31 2016 and will check the interface status in R3 and R1.

OSPF-AUTH-6

OSPF-AUTH-7

As can be seen in the above output, the interface Ethernet0/1 in R1 and the interface Ethernet0/0 in R3 have changed to Authentication HMAC-SHA-256.   In this case the change was automatic due the automatic time-based key rotation feature.

It is time to close this post. Thank you for visiting.

OSPF Null Authentication

 

In the previous post (OSPF Authentication), we have learned how to configure and troubleshoot OSPF Authentication. However, we only focused on Authentications Type 1 and Type 2.

So you may be wondering: what about Type 0 or Null Authentication?   What is it for?

Well, this type of authentication is typically used in links where authentication is not required.  Let me explain.   If your organization is using OSPF authentication in an Area and you try to form an adjacency with another device where authentication is not configured or desired, there is where OSPF Null Authentication enters to play.

To configure OSPF Null Authentication use the interface level command:  ip ospf authentication null.

For example, let’s take a look to the following topology:

OSPF-NULL-A-Topology

In this scenario R1, R2 and R4 have configured OSPF authentication using Cryptography (Authentication Type 2).    R3 was recently added to the network; however the adjacency with R1 is not established.

First, let’s debug the ospf adjacencies and try to find what the problem is.

OSPF-Null-Debug-R1

OSPF-Null-Debug-R3

As you can see in the above output, the problem is mismatch authentication types between the peers.

R1 is using Type 2 (Crypto) and R3 is using Type 0 (null).

Now let’s take a look at the configuration of R1 and R3:

OSPF-NULL-R1-TO-R3

R1:

!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.124.1 255.255.255.0
ip ospf message-digest-key 1 md5 cisco124
!
interface Ethernet0/1
ip address 192.168.13.1 255.255.255.252
ip ospf network point-to-point
!
router ospf 1
router-id 0.0.0.1
area 0 authentication message-digest
network 1.1.1.1 0.0.0.0 area 0
network 192.168.13.1 0.0.0.0 area 0
network 192.168.124.0 0.0.0.255 area 0
!

As shown in the configuration above, R1 was configured to authenticate all devices connected to area 0 with the command area 0 authentication message-digest.  This will be equivalent to adding the command ip ospf authentication message-digest to all interfaces connecting to Area 0.

A way to verify this statement is by using the command show ip ospf interface {interface-id}.

OSPF-NULL-show-ospf-if-e0-0

OSPF-NULL-show-ospf-if-e0-1

R3:

!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.13.2 255.255.255.0
ip ospf network point-to-point
!
interface Ethernet0/1
ip address 172.16.30.3 255.255.255.0
!
router ospf 1
router-id 0.0.0.3
passive-interface default
no passive-interface Ethernet0/0
network 3.3.3.3 0.0.0.0 area 0
network 172.16.30.0 0.0.0.255 area 0
network 192.168.13.2 0.0.0.0 area 0
!

As shown in the configuration above, R3 do not have OSPF authentication configured.

To solve this issue, just configure OSPF null authentication to the interface in R1 connecting to R3:

!
interface ethernet0/1
ip ospf authentication null
end
!

After the above configuration was applied, the peers R1 and R3 will form adjacency:

OSPF-NULL-Solution-Neighbors

Let’s take a look at the result of the configuration in the interface:

OSPF-NULL-Solution-e-0-1

It is time to close this post. Thank you for visiting.

OSPF Authentication

In the last post (OSPF Passive Interface), I have mentioned that enabling routing everywhere may increase the chances of the insertion of unauthorized devices.  What I mean by this is when we enable OSPF within the interface or using the network command in the OSPF process, we also allow automatic neighbor discovery and adjacency forming in certain network types such broadcast networks.   Using passive-interface in OSPF we make sure no hello packets are sent in stub networks; thus, adjacencies won’t form in these network segments.   But what about the routers placed in transit networks? How can we protect them without disabling the Hello packets?

Well, in this case, what we can do its force the routers to authenticate in order to establish the adjacencies.

OSPF Authentication Types:

Three types of authentications are currently supported by OSPF:

  • Type 0 – Null – Is the default and means that there is no authentication and is typically used in links where authentication is not required.
  • Type 1 – Simple Password – In this type of authentication, the passwords are exchanged in plaintext (very insecure).
  • Type 2 – Cryptographic – In this type of authentication, the password is encrypted using MD5.  (Now is possible the use of SHA encryption with OSPF in new IOS versions. This will be discussed in the following post)

OSPF Authentication Configuration:

OSPF authentication is a 2 step configuration; the first step is enabling the type of authentication to be used.  It can be enabled at the Process level or at the Link level.   By default, the link level authentication overrides the process level authentication.

To enable OSPF authentication at the process level, use the area {area-id} authentication command for Simple Password authentication; adding the keyword message-digest changes the authentication to Cryptographic type 2 (MD5).

To enable OSPF authentication at the interface level use the ip ospf authentication command for Simple Password authentication; adding the keyword message-digest changes the authentication to Cryptographic type 2 (MD5).

To configure OSPF null authentication to a link connecting to a neighbor, use the ip ospf authentication null command.  As mentioned before, null authentication is typically used in links where other types of authentication are been used but is not required in a particular link.  More details and examples in the next post.

The second step is to define the password to be used either plaintext or encrypted.  The authentication passwords are always configured on the link.

To configure the authentication passwords in plaintext use the interface command ip ospf authentication-key {0|7} {password}.

The option 0 or 7 inside the curly brackets means the user is entering the password in plain text (option 0) while the option 7 means the user is entering an already encrypted Cisco proprietary Type-7 password.   The option 0 is the default and is not required to be set.

To configure the authentication passwords as Type 2 (MD5) use the interface command ip ospf message-digest-key {key-number [1-255]} md5 {0|7} {password}.

Type 2 authentication supports up to 255 different keys.  The key number and password must match between the routers. Using different keys allow for quick changes of passwords and to use multiple passwords per area.

OSPF Authentication Configuration for Virtual-Links:

A Virtual Link is an OSPF tunnel, a multi-hop point-to-point unicast adjacency; it is, in essence, an extension of Area 0 across (transit area) another area.  When configured a P2P logical interface is created with state P2P and attached to Area 0.   The Virtual-Link configuration follows the same rules described before.  Requires define the authentication Type which can be defined in the area or over the virtual-link definition and the password.    Because the logical interface VL is created when the virtual link is defined in the process, it also has to be defined within the virtual link configuration in the process.  Use the following combinations to configure the Virtual-Link Authentication:

Simple password configuration:

area {area-id} virtual-link {router-id} authentication authentication-key {password}

Cryptographic configuration:

area {area-id} virtual-link {router-id} authentication message-digest message-digest-key {key-number [1-255]} md5 {0|7} {password}.

 

OSPF Authentication Configuration Examples:

For this set of examples, we will use the topology we have been using so far.

Initial Configurations:

R1:

!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.124.1 255.255.255.0
!
interface Ethernet0/1
ip address 192.168.13.1 255.255.255.0
!
router ospf 1
router-id 0.0.0.1
network 1.1.1.1 0.0.0.0 area 0
network 192.168.0.0 0.0.255.255 area 0
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/1
!

R2:

!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.124.2 255.255.255.0
!
interface Ethernet0/1
ip address 172.16.20.2 255.255.255.0
!
router ospf 1
router-id 0.0.0.2
network 2.2.2.2 0.0.0.0 area 0
network 172.16.20.0 0.0.0.255 area 0
network 192.168.0.0 0.0.255.255 area 0
passive-interface default
no passive-interface Ethernet0/0
!

R3:

!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.13.3 255.255.255.0
!
interface Ethernet0/1
ip address 172.16.30.3 255.255.255.0
!
router ospf 1
network 3.3.3.3 0.0.0.0 area 0
network 172.16.30.0 0.0.0.255 area 0
network 192.168.13.0 0.0.0.255 area 0
passive-interface default
no passive-interface Ethernet0/0
!

R4:

!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 0
!
interface Ethernet0/0
ip address 192.168.124.4 255.255.255.0
ip ospf 1 area 0
!
interface Ethernet0/1
ip address 172.16.40.4 255.255.255.0
ip ospf 1 area 0
!
router ospf 1
router-id 0.0.0.4
passive-interface default
no passive-interface Ethernet0/0
!

The Switch interfaces where the routers are connected were configured as follows:

!
interface FastEthernet0/[1-4]
switchport trunk encapsulation dot1q
switchport mode trunk
!

Task 1:

Let’s start applying Simple Password Authentication (Type-2) to the segment between R1 and R3 with the password cisco123.  R1 must use interface level authentication and R3 must use Area authentication.

R1:

OSPF-Auth-Task-1-1

R3:

OSPF-Auth-Task-1-2

An interesting thing to mention is that all OSPF packets are authenticated.

Let’s take a look to the different OSPF packets:

Hello Packet Header:

OSPF-Hello-Packet

Link-State Database Description (LSDB) Header:

OSPF-LSDB-Packet

Link-State Request:

OSPF-LSR-Packet

Link-State Update:

OSPF-LSU-Packet

Link-State Acknowledge:

OSPF-LSA-Packet

As you can see in the above examples, the Authentication Type is Simple password (1) and the password (cisco123) is shown in plain text format.

OSPF authentication doesn’t mean Encryption, meaning that the content of the packet is perfectly readable. The objective of OSPF Authentication is only to protect the Router control plain avoiding the insertion of unauthorized routes injected by unauthorized devices.

 

Task 2:

For this task, let’s apply Cryptographic Password Authentication (Type 2) to the network segment between R1, R2, and R4 with the password cisco124.  R1 must use Area authentication while R2 and R4 must use interface level authentication.

R1:

OSPF-Auth-Task-2-1

R2:

OSPF-Auth-Task-2-2

R4:

OSPF-Auth-Task-2-3

Let’s take a look at the Hello packet of R1 in the interface E0/0:

OSPF-Hello-Packet-Task-2

As you can see in the output the Authentication Type now is Cryptographic (2).  You will also find the Key ID used to authenticate, the sequence number and the encrypted password contained in the Auth Crypt Data field.   Using sequence numbers prevents replay attacks where the OSPF packets are captured, modified and retransmitted to the router.

In this case, we use the same password because is a shared segment, however in other network types such point-to-point, different passwords can be used.

 

OSPF Authentication Verification and Troubleshooting:

In order to verify the authentication use the show ip ospf interface {interface-id} command.

show-ip-ospf-if

The above output displays the type of authentication used and the key id used to authenticate in the interface Ethernet0/0 for the segment 192.168.124.0/24 where R1, R2, and R4 reside.   Then the same output displays the type of authentication used, in this case, Simple password for the segment 192.168.13.0/24 where R1 and R3 connects.

Another way to verify if the authentication succeeds is by checking the neighbor table using the show ip ospf neighbor command.   When the authentication fails, it will remove the neighbor from the table.

In order to demonstrate the troubleshooting process, I’ve made the some changes (misconfigurations I would say) to the routers previously configured.

The problem:

After OSPF Authentication was configured in the routers, the connectivity to the segments 172.16.30.0/24 and 172.16.40.0/24 has been lost.

OSPF-SAREA-NTOPOLOGY

debug-04

After confirming the adjacencies to R3 and R4 were lost, we can troubleshoot the adjacencies using the debug ip ospf adj command.   To turn off the debug use the command: undebug all.

debug-MSG

Aha!  Seem that we have found the problems.   The debug output showed above give us details about the issue:

The first problem found: The router has received in the interface Ethernet0/1 a packet with mismatched Authentication Type. The received packet is using Simple Password Authentication (Type 1), but the local router is using Cryptographic Authentication (Type 3).

 

This was an easy catch; the solution will be enabling Simple Password (Type 1) authentication in the interface Ethernet0/1 of R1.

R1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface e0/1
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key cisco123
R1(config-if)#no ip ospf message-digest-key 1 md5 cisco123
R1(config-if)#end
R1#

The other problem: The router has received in the interface Ethernet0/0 a packet with Mismatched Authentication Key – ID 1. This debug message is self-explanatory.  The password received in the interface doesn’t match with the local one.

Let’s compare the configurations:

 

Wait a minute!  At first sight, the passwords look identical.  But are they actually identical?

Well, in this problem I have introduced a common problem when configuring passwords.  I have added a blank space at the end of the password in R4.   Blank spaces also count as part of passwords.

debug-03

The solution in this case is remove the MD5 key 1 and re-enter it.   You can also copy the line from R1 or R2 and paste it into the interface Ethernet0/0 configuration.

It is time to close this post.

Thank you for visiting.