Securing OSPF

There are multiple ways to secure OSPF.  The essential one is authentication. By default there isn't any validation to assure legitimacy of an OSPF topology update. Basically an attacker or a bored employee could install a physical router and become a member of a routing system. Alternately a tool such as LOKI (http://www.ernw.de/content/e6/e180/index_eng.html) could be used. LOKI provides a GUI and is very simple to use, I however found it a bit buggy. More on that can be found in my Attacking OSPF - route injection post.

Other tools that could be used include:
  •  SCAPY http://www.secdev.org/projects/scapy/ - very advanced and fairly complicated packet generation tool, to craft OSPF packets it requires OSPF extension
  • TCPREPLAY -  http://tcpreplay.synfin.net/ - a legitimate OSPF adjacency set up and database exchange could be captured, modified and replayed (I had limited success with this technique)
On a Cisco router we can use the following to secure our OSPF routing:
  • authentication
  • passive interfaces
  • access control list
  • route filtering
OSPF authentication is part of the protocol standard and should be inter operable between vendors.  We will focus on Cisco specific implementation.

There are three types of authentication supported by OSPF:
  • none (Type 0)
  • clear text (Type 1)
  • MD5 (Type 2)
Sample OSPF hello packets with different types of authentication enabled.
  • none

  • clear text (the key is "testkey")

  • MD5 

Clearly, MD5 is the way to go. When MD5 authentication is enabled, each OSPF packet is hashed using MD5 and configured key (this is called a keyed hash). Neighboring router does the same operation on received packet and if the hash values match packet is accepted and processed. If it doesn't packet is discarded.  

Authentication is enabled on per area and per interface basis. We can have area 1 with authentication, and area 2 without, configured on the same router. What's important to note is that we can have different keys on different interfaces belonging to the same area. This is important in situation when we want to exchange routes with a routing system we don't control. 


In order to enable authentication we need to enable it in router ospf configuration context and on each interface.  

Sample router configuration - enables authentication for area 1:


!
router ospf 1
 network 30.0.0.0 0.0.0.255 area 1
 area 1 authentication
!



Sample interface configuration - enables MD5 authentication on F0/0:


!

interface FastEthernet0/0

 ip address 30.0.0.2 255.0.0.0

 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 testkey
!

On Cisco devices by default, once routing is enabled, routing information is propagated and accepted on all interfaces. In default configuration, Hello packets can be captured on access ports. This gives a potential attacker information about routing protocol in use. What's more important is that hello packets would also be accepted and processed on those ports. So let's suppose there is an OSPF Denial of Service vulnerability in Cisco IOS. At this point an attacker could crash our routers. I assume at this point we have already enabled authentication so our network would be immune to route injection attacks.

To help combat this problem, Cisco IOS implements "passive-interface" feature. Basically, routing information will not be sent out or accepted on an interface marked as passive.

There are two ways to implement this feature :

1. "passive-interface default" - marks all interfaces as passive, interfaces that should be part of routing system must be explicitly configured with "no passive-interface" command.

Sample configuration (sets all interface except f0/0 and f0/1 to passive mode):

!
router ospf 1
 passive-interface default
 no passive-interface f0/0
 no passive-interface f0/1
!

2. mark specific interfaces as passive:

!
router ospf 1
 passive-interface f0/0
 passive-interface f0/1
!

It is important to note that in both cases the configuration is performed in the OSPF process context and not interface context.

Access Control List (ACL) is another option to accomplish what passive interfaces would. (Though I find passive interface option much more manageable) We can apply ACLs blocking OSPF traffic on access ports or any ports as required. We need to apply them in both directions as we don't want OSPF traffic coming in or going out. 

Sample configuration:

!
access-list 101 deny ospf any any
!
!
interface f0/0
 ip access-group 101 in
 ip access-group 101 out
!


Route filtering should also be employed to protect routing systems. Filtering works best at topological edges such as WAN aggregation points. For example if we have 3 branch offices using network ranges of 10.1.64.0/24, 10.1.65.0/24 and 10.1.66.0/24 we can configure a filter  that will prevent any routing updates outside of 10.1.64.0/22 range. This can generally be done effectively only on Area Border Routers or Autonomous System Border Routers.  OSPF route filtering is a complex and complicated subject which I'll cover some other time. 

No comments:

Post a Comment