Thursday, December 24, 2015

OSPFv3 task #3. Authentication

Topology:



Use configuration from OSPFv3 task #2 as initial configuration for this task.

Requirements: 

1. Configure authentication for Area 0. Authentication should apply for all existing interfaces, except segment R2-R3,  in Area 0, and also for any interfaces that may be added in the future. 
2. Use strongest possible  authentication method. 
3. OSPF packets in Area 0 (except on segment R2-R3) should have Next-Header value of 51. 
4. Attacker which is capable to capture packets on segment R1-R8, should not be able to read the OSPF packets from the capture. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of OSPFv3 authentication configuration options (area vs interface) and authentication types - ESP vs AH. 

Requirements #1 - authentication should be configured in Area level, to include all interfaces in the area. Configure null authentication on segment R2-R3 to exclude it from area level configuration. 
Requirement #2 - SHA1 authentication method is considered stronger than MD5. 
Requirement #3 - Use "ospf authentication", which uses AH header with next-deader value of 51. 
Requirement #4 - Use "ospf encryption" which provides both authentication and encryption of the OSPF packets. 

R1:

!
ipv6 router ospf 1
 router-id 11.0.1.1
 auto-cost reference-bandwidth 40000
 area 0 authentication ipsec spi 400 sha1 7 025756085F535976141759485744465E5A53727274796166764651415B5806080A00005B554F4E0008
 distance ospf external 180
!
!
interface Ethernet1/0
 ipv6 address 2001:11:0:18::1/64
 ipv6 ospf encryption ipsec spi 300 esp aes-cbc 128 7 040A59555B741A1951405546405858517C7C7C7163647040534355560E00080206 sha1 7 12485744465E5A53727274796166764651415B5806080A00005B554F4E000806010101015D0C5E5E08
 ipv6 ospf 1 area 2
 ipv6 ospf network point-to-multipoint
!

R2:


!
ipv6 router ospf 1
 router-id 11.0.2.2
 auto-cost reference-bandwidth 40000
 area 3 virtual-link 11.0.4.4
 area 0 authentication ipsec spi 400 sha1 7 091D1C5A4D5041455355547B79777C6663754B5E465253050D0D0503565A48470B0B030604020C520B
 distance ospf external 180
!

R3:


!
router ospfv3 CCIE
 router-id 11.0.3.3
 auto-cost reference-bandwidth 40000
 distance ospfv3 external 180
 area 0
  authentication ipsec spi 400 sha1 password 03550958525A771B1650495445415F59527D737D7862677147524054590F090901075A564E41010107
  interface Loopback0
   network point-to-point
  !
  interface GigabitEthernet0/0/0/0
  !
  interface GigabitEthernet0/0/0/1
   authentication disable
  !
 !
 area 3
  virtual-link 11.0.5.5
  !
  interface GigabitEthernet0/0/0/2
  !
 !
!

R8:


!
interface Ethernet0/0
 ipv6 address 2001:11:0:18::8/64
 ipv6 ospf encryption ipsec spi 300 esp aes-cbc 128 7 03550958525A771B1650495445415F59527D737D7862677147524054590F090901 sha1 7 025756085F535976141759485744465E5A53727274796166764651415B5806080A00005B554F4E0008
 ipv6 ospf 1 area 2
 ipv6 ospf network point-to-multipoint
!

Verification:

R8#show ipv6 ospf interface eth0/0
Ethernet0/0 is up, line protocol is up
  Link Local Address FE80::A8BB:CCFF:FE00:400, Interface ID 3
  Area 2, Process ID 1, Instance ID 0, Router ID 11.0.8.8
  Network Type POINT_TO_MULTIPOINT, Cost: 4000
  AES-CBC-128 encryption SHA-1 auth SPI 300, secure socket UP (errors: 0)
  Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    Hello due in 00:00:02
  Graceful restart helper support enabled
  Index 1/2/2, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 5, maximum is 5
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 11.0.1.1
  Suppress hello for 0 neighbor(s)

R2#show ipv6 ospf interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
  Link Local Address FE80::A8BB:CCFF:FE00:300, Interface ID 3
  Area 0, Process ID 1, Instance ID 0, Router ID 11.0.2.2
  Network Type BROADCAST, Cost: 4000
  authentication NULL
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 11.0.2.2, local address FE80::A8BB:CCFF:FE00:300
  Backup Designated router (ID) 11.0.3.3, local address FE80::250:56FF:FE3A:3264
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:04
  Graceful restart helper support enabled
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 2, maximum is 12
  Last flood scan time is 0 msec, maximum is 1 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 11.0.3.3  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)


R2#show ipv6 ospf interface ethernet 0/1
Ethernet0/1 is up, line protocol is up
  Link Local Address FE80::A8BB:CCFF:FE00:310, Interface ID 4
  Area 0, Process ID 1, Instance ID 0, Router ID 11.0.2.2
  Network Type BROADCAST, Cost: 4000
  SHA-1 authentication (Area) SPI 400, secure socket UP (errors: 0)
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 11.0.2.2, local address FE80::A8BB:CCFF:FE00:310
  Backup Designated router (ID) 11.0.1.1, local address FE80::A8BB:CCFF:FE00:610
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:08
  Graceful restart helper support enabled
  Index 1/2/2, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 15
  Last flood scan time is 0 msec, maximum is 1 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 11.0.1.1  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)


No comments:

Post a Comment