Wednesday, December 30, 2015

Types & Flaws of OSPF Authentication (to Stop Route Injection & DOS Attacks)


OSPF authentication has 3 types.
Type 0 - Null (default)
Type 1 - Simple Password
Type 2 - Cryptic (MD5/SHA)

Let's see how it can be cracked and how it can be  implemented correctly. Authentication is the only protocol level security we can have to secure our OSPF network. Actually in OSPFv2, authentication can only prevent a rouge router from negotiating LSAs to stop route injection & DOS attacks. But still a man in the middle will be able to see the payload of the LSAs which he can compromise the network. Only in OSPFv3, an IPSec tunnel will prevent it happening.

I'm doing it in a simple lab of 2 routers in  area 0, and the wire is sniffed. Let's analyze the packets to see what's really happening in the network layer.
(did't upload initial config files because this is a very simple lab with few basic commands)

Let the 2 routers form adjacency.
Type 0 or Null type is always on by default.
Without doing any authentication configuration, let's capture a Hello packet and analyze them.


(click on the images to see in full size)

You can see the the authentication type is Null (0) and authentication data none.

It means you only need a router configured to match the Hello packet attributes (which u can see) and connect a router to the network to start injecting false routes & carry out a DOS attack.

Let's see about Type 2 now. It can be implemented by issuing the commands,
R1(config-if)#ip ospf authentication
in the interface level or
R1(config-router)#area 0 authentication command in the router config mode, anyhow always the interface level command will over run the router config mode command & the authentication keys and authentication data can only be configured in the interface level.

So if you see something like below in a packet capture,

This is Type 2. Even though it is type 2 you can see authentication data is empty.

It means you only need a router configured to authentication type 2 & match the Hello packet attributes (which u can see) and connect a router to the network to start injecting false routes & carry out a DOS attack.

Now let's see if authentication data is not empty (what if there is a password configured to authentication)
It can be only done in the interface level using the following command after setting the athentication type to 2 like above.
R1(config-if)#ip ospf authentication-key cisco468

The packet will be like this.

Now you can see there is a password and you can clearly see it.

It means you only need a router configured to authentication type 2 & match the password & Hello packet attributes (which u can see) and connect a router to the network to start injecting false routes & carry out a DOS attack.


So basically all above are useless against a hacker. So the correct method will be using the Type 3 with a hashing algorithm.

It can be implemented by issuing the commands,
R1(config-if)#ip ospf authentication message-digest 
in the interface level or
R1(config-router)#area 0 authentication message-digest command.

And the password can be given in interface level by issuing,
R1(config-if)#ip ospf message-digest key 1 md5 cisco321

Capture will be like this

Now the password will not be stated in the packet. Only the hash will be there. So even though the packet is captured it will be hard to crack it. If your platform supports SHA algorithm it is better to use than MD5 as MD5 is again vulnerable to rainbow tables.

Even though the hacker can see the payload of the packet which he can use to build the link state graph to identify the network, he will not be able to do any harm to the network.

So this is the only secure method for doing this. Anything other than this including encrypting the password to level 7 will not defend against a hacker. It can easily be cracked too.

Thursday, December 17, 2015

Stop Originating Type 7 LSAs Only in ASBABRs

Let me explain the topic. In the diagram, you can clearly see that the R2 is the ABR. But in this lab it is also the ASBR.

ASBABR = ASBR + ABR

It is redistributing its connected subnet of the loopback 0 to the both area 1 (the NSSA) and area 0. When you enter the redistribute command it will start redistributing to both sides. As LSA type 7 to the NSSA and as LSA type 5 to the area 0.

If you do not want the routers of the NSSA to learn the redistributed routes while only the backbone routers to learn the routes, here is the way to do it.

Configuration files can be downloaded from here.

Let's see the databases of R3 & R1 1st.




































We can see the redistributed route is advertised to both areas. To stop it goes to the NSSA just enter the following command in OSPF configuration of R2 which does the redistribution.

R2(config)#router ospf 1
R2(config-router)#area 1 nssa no-redistribution

You can see the databases again to see the effect. LSA type 7 is no longer in the NSSA.





























Limit a Summary / Redistributed Route to NSSA only (Stop 7/5 Translation)

Type 7 LSA is generated by an ASBR when it redistributes routes to a NSSA.
This LSA contains a "P" bit which tells other ABRs to translate the type 7 LSA into type 5 LSA when the LSA enters area 0.

If the P bit is set to 1 it is allowed for translation and if the P bit is 0 it says do not translate this LSA so that it will only remain in NSSA. This is useful when there are multiple ABRs in the NSSA while you need to traffic engineer the network. By the way, when the ASBR is the ABR it will automatically set this P bit to 0 for its originating type 7 LSAs to stop routing loops.

Configuration files can be downloaded from here.

Quick review of the topology:-
Area 1 is the NSSA, R2 is the ABR and R4 is the ASBR which redistributes its connected subnet of loopback 0 interface 192.168.4.1/32

1st let's look at the databases of R4 & R1





































So now you can see that the type 7 LSA which is advertised by the R4 (4.4.4.4) is translated to a type 5 LSA by the R2 (2.2.2.2)

Let's look at the LSA in detail



















It says "Type 7/5 translation" which actually means that the P bit is set to 1.
If you want to keep this route only inside NSSA just enter the following command in OSPF configuration of R4 which it is originating.

R4(config)#router ospf 1
R4(config-router)#summary-address 192.168.4.1 255.255.255.255 nssa-only



















Now you can see the translation is off. So it will not be learned by the backbone routers.