Skip to main content

Securing OSPF

There are multiple ways to secure OSPF.  The essential one is authentication. By default there isn't any validation to assure legitimacy of an OSPF topology update. Basically an attacker or a bored employee could install a physical router and become a member of a routing system. Alternately a tool such as LOKI (http://www.ernw.de/content/e6/e180/index_eng.html) could be used. LOKI provides a GUI and is very simple to use, I however found it a bit buggy. More on that can be found in my Attacking OSPF - route injection post.

Other tools that could be used include:
  •  SCAPY http://www.secdev.org/projects/scapy/ - very advanced and fairly complicated packet generation tool, to craft OSPF packets it requires OSPF extension
  • TCPREPLAY -  http://tcpreplay.synfin.net/ - a legitimate OSPF adjacency set up and database exchange could be captured, modified and replayed (I had limited success with this technique)
On a Cisco router we can use the following to secure our OSPF routing:
  • authentication
  • passive interfaces
  • access control list
  • route filtering
OSPF authentication is part of the protocol standard and should be inter operable between vendors.  We will focus on Cisco specific implementation.

There are three types of authentication supported by OSPF:
  • none (Type 0)
  • clear text (Type 1)
  • MD5 (Type 2)
Sample OSPF hello packets with different types of authentication enabled.
  • none

  • clear text (the key is "testkey")

  • MD5 

Clearly, MD5 is the way to go. When MD5 authentication is enabled, each OSPF packet is hashed using MD5 and configured key (this is called a keyed hash). Neighboring router does the same operation on received packet and if the hash values match packet is accepted and processed. If it doesn't packet is discarded.  

Authentication is enabled on per area and per interface basis. We can have area 1 with authentication, and area 2 without, configured on the same router. What's important to note is that we can have different keys on different interfaces belonging to the same area. This is important in situation when we want to exchange routes with a routing system we don't control. 


In order to enable authentication we need to enable it in router ospf configuration context and on each interface.  

Sample router configuration - enables authentication for area 1:


!
router ospf 1
 network 30.0.0.0 0.0.0.255 area 1
 area 1 authentication
!



Sample interface configuration - enables MD5 authentication on F0/0:


!

interface FastEthernet0/0

 ip address 30.0.0.2 255.0.0.0

 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 testkey
!

On Cisco devices by default, once routing is enabled, routing information is propagated and accepted on all interfaces. In default configuration, Hello packets can be captured on access ports. This gives a potential attacker information about routing protocol in use. What's more important is that hello packets would also be accepted and processed on those ports. So let's suppose there is an OSPF Denial of Service vulnerability in Cisco IOS. At this point an attacker could crash our routers. I assume at this point we have already enabled authentication so our network would be immune to route injection attacks.

To help combat this problem, Cisco IOS implements "passive-interface" feature. Basically, routing information will not be sent out or accepted on an interface marked as passive.

There are two ways to implement this feature :

1. "passive-interface default" - marks all interfaces as passive, interfaces that should be part of routing system must be explicitly configured with "no passive-interface" command.

Sample configuration (sets all interface except f0/0 and f0/1 to passive mode):

!
router ospf 1
 passive-interface default
 no passive-interface f0/0
 no passive-interface f0/1
!

2. mark specific interfaces as passive:

!
router ospf 1
 passive-interface f0/0
 passive-interface f0/1
!

It is important to note that in both cases the configuration is performed in the OSPF process context and not interface context.

Access Control List (ACL) is another option to accomplish what passive interfaces would. (Though I find passive interface option much more manageable) We can apply ACLs blocking OSPF traffic on access ports or any ports as required. We need to apply them in both directions as we don't want OSPF traffic coming in or going out. 

Sample configuration:

!
access-list 101 deny ospf any any
!
!
interface f0/0
 ip access-group 101 in
 ip access-group 101 out
!


Route filtering should also be employed to protect routing systems. Filtering works best at topological edges such as WAN aggregation points. For example if we have 3 branch offices using network ranges of 10.1.64.0/24, 10.1.65.0/24 and 10.1.66.0/24 we can configure a filter  that will prevent any routing updates outside of 10.1.64.0/22 range. This can generally be done effectively only on Area Border Routers or Autonomous System Border Routers.  OSPF route filtering is a complex and complicated subject which I'll cover some other time. 

Comments

Popular posts from this blog

x.509 Certificates - Critical vs non-critical extensions

Extensions are used to associate additional information with the user or the key.  Each certificate extension has three attributes - extnID, critical, extnValue extnID - Extension ID - an OID that specifies the format and definitions of the extension critical - Critical flag - Boolean value extnValue - Extension value  Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application. In Windows, critical extensions are marked with a yellow exclamation mark,  View certificate extensions using OpenSSL: # openssl x509 -inform pem -in cert.pem -text -noout (output abbreviated)         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Subject Key Identifier

DNS response and error types

In this post we explore common DNS response codes. We will cover the following responses: NOERROR SERVFAIL NXDOMAIN NODATA REFUSED Throughout article we’ll refer to the following RFCs: RFC 1034 - DOMAIN NAMES - CONCEPTS AND FACILITIES RFC 2308 - Negative Caching of DNS Queries (DNS NCACHE) RFC 2136 - Dynamic Updates in the Domain Name System (DNS UPDATE) RFC 8914 - Extended DNS Errors Response Codes - RCODEs The DNS RCODES are best defined in RFC2316 .  They signify what type of response was sent by the server. “RCODE   Response code - this four bit field is undefined in requests and set in responses.”   The table below shows the summary of the currently defined RCODEs. Mnemonic Val Description NOERROR 0 No error condition.

DNS blocking in Indonesia

DNS based censorship and domain blocking in Indonesia is very inconsistent among ISPs. There’s a government mandated black list which the ISPs operating in the country should enforce. However, Indonesia lacks centralised internet infrastructure and has many separate ISPs. In addition, the Indonesian government granted ISPs the authority to block content at their own discretion. All of this leads to a very inconsistent DNS blocking in Indonesia. Official DNS domain blacklist in Indonesia The Government mandated DNS blacklist is published in a redacted form and can be downloaded here: https://trustpositif.kominfo.go.id/ . This is where the blocked domains get redirected to. We can search the database and check if a domain is blocked. In the screenshot below we can see that a popular cryptocurrency exchange is blocked (Ada) and that wikipedia.org is not (Tidak Ada) - thanks to Google Translate. Examples of blocked DNS queries dig binance.com @182.253.45.122 ;; global options: +cmd ;; Got