Skip to main content

Securing OSPF

There are multiple ways to secure OSPF.  The essential one is authentication. By default there isn't any validation to assure legitimacy of an OSPF topology update. Basically an attacker or a bored employee could install a physical router and become a member of a routing system. Alternately a tool such as LOKI ( could be used. LOKI provides a GUI and is very simple to use, I however found it a bit buggy. More on that can be found in my Attacking OSPF - route injection post.

Other tools that could be used include:
  •  SCAPY - very advanced and fairly complicated packet generation tool, to craft OSPF packets it requires OSPF extension
  • TCPREPLAY - - a legitimate OSPF adjacency set up and database exchange could be captured, modified and replayed (I had limited success with this technique)
On a Cisco router we can use the following to secure our OSPF routing:
  • authentication
  • passive interfaces
  • access control list
  • route filtering
OSPF authentication is part of the protocol standard and should be inter operable between vendors.  We will focus on Cisco specific implementation.

There are three types of authentication supported by OSPF:
  • none (Type 0)
  • clear text (Type 1)
  • MD5 (Type 2)
Sample OSPF hello packets with different types of authentication enabled.
  • none

  • clear text (the key is "testkey")

  • MD5 

Clearly, MD5 is the way to go. When MD5 authentication is enabled, each OSPF packet is hashed using MD5 and configured key (this is called a keyed hash). Neighboring router does the same operation on received packet and if the hash values match packet is accepted and processed. If it doesn't packet is discarded.  

Authentication is enabled on per area and per interface basis. We can have area 1 with authentication, and area 2 without, configured on the same router. What's important to note is that we can have different keys on different interfaces belonging to the same area. This is important in situation when we want to exchange routes with a routing system we don't control. 

In order to enable authentication we need to enable it in router ospf configuration context and on each interface.  

Sample router configuration - enables authentication for area 1:

router ospf 1
 network area 1
 area 1 authentication

Sample interface configuration - enables MD5 authentication on F0/0:


interface FastEthernet0/0

 ip address

 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 testkey

On Cisco devices by default, once routing is enabled, routing information is propagated and accepted on all interfaces. In default configuration, Hello packets can be captured on access ports. This gives a potential attacker information about routing protocol in use. What's more important is that hello packets would also be accepted and processed on those ports. So let's suppose there is an OSPF Denial of Service vulnerability in Cisco IOS. At this point an attacker could crash our routers. I assume at this point we have already enabled authentication so our network would be immune to route injection attacks.

To help combat this problem, Cisco IOS implements "passive-interface" feature. Basically, routing information will not be sent out or accepted on an interface marked as passive.

There are two ways to implement this feature :

1. "passive-interface default" - marks all interfaces as passive, interfaces that should be part of routing system must be explicitly configured with "no passive-interface" command.

Sample configuration (sets all interface except f0/0 and f0/1 to passive mode):

router ospf 1
 passive-interface default
 no passive-interface f0/0
 no passive-interface f0/1

2. mark specific interfaces as passive:

router ospf 1
 passive-interface f0/0
 passive-interface f0/1

It is important to note that in both cases the configuration is performed in the OSPF process context and not interface context.

Access Control List (ACL) is another option to accomplish what passive interfaces would. (Though I find passive interface option much more manageable) We can apply ACLs blocking OSPF traffic on access ports or any ports as required. We need to apply them in both directions as we don't want OSPF traffic coming in or going out. 

Sample configuration:

access-list 101 deny ospf any any
interface f0/0
 ip access-group 101 in
 ip access-group 101 out

Route filtering should also be employed to protect routing systems. Filtering works best at topological edges such as WAN aggregation points. For example if we have 3 branch offices using network ranges of, and we can configure a filter  that will prevent any routing updates outside of range. This can generally be done effectively only on Area Border Routers or Autonomous System Border Routers.  OSPF route filtering is a complex and complicated subject which I'll cover some other time. 


Popular posts from this blog

x.509 Certificates - Critical vs non-critical extensions

Extensions are used to associate additional information with the user or the key.  Each certificate extension has three attributes - extnID, critical, extnValue extnID - Extension ID - an OID that specifies the format and definitions of the extension critical - Critical flag - Boolean value extnValue - Extension value  Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application. In Windows, critical extensions are marked with a yellow exclamation mark,  View certificate extensions using OpenSSL: # openssl x509 -inform pem -in cert.pem -text -noout (output abbreviated)         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Subject Key Identifier

Count number of lines - 'findstr'

How do I count number of lines in a command output? findstr /r/n "^" | find /c ":" Above commands will display number of lines output by whatever command (well, nearly whatever) you specify in the front.  For example:  C:\>ping localhost | findstr /r/n "^" | find /c ":" FINDSTR: // ignored 12 This comes handy if you want to find out how many OUs you have in Active Directory: dsquery ou  -limit 0 | findstr /r/n "^" | find /c ":" How many user accounts there are: dsquery user -limit 0 | findstr /r/n "^" | find /c ":" Computers: dsquery computer -limit | findstr /r/n "^" | find /c ":"

Cisco ASA Certificate Revocation Checking

ASA supports status verification using CRLs and OCSP. CRL can be retrieved using HTTP, LDAP or SCEP. Revocation checking using CRL: Over HTTP: ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2 ciscoasa(config-ca-trustpoint)# revocation-check crl ciscoasa(config-ca-crl)# protocol http By default ASA will use address listed in CDP extension of the certificate that is being validated.  To override default behaviour we need to add the following in the CRL configuration context. ciscoasa(config-ca-crl)# policy static ciscoasa(config-ca-crl)# url 1 Over LDAP: Certificate I'm using for this lab, doesn't have LDAP address in its CDP extension. Therefore I'm using "policy static"  to specify LDAP URL where CRL can be retrieved.  ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2 ciscoasa(config-ca-trustpoint)# revocation-check crl ciscoasa(config-ca-trustpoint)# crl configure ciscoasa