index_88
Router Security Configuration Guide
UNCLASSIFIED
88
UNCLASSIFIED
Version 1.0g
the network segment. When a sending router builds an OSPF packet, it signs the
packet by placing the key as plaintext in the OSPF header. The receiving router then
compares the received key against the key in memory. If the keys match, then the
router accepts the packet. Otherwise, the router rejects the packet. This method does
not provide much security because the key is in plaintext in the packet. Using this
method reveals the secret key to any attacker using a network sniffer on the right
LAN segments. Once an attacker captures the key, they can pose as a trusted router.
The second, and more secure method, is message digest authentication. The figure
below shows the example network from Figure 4-1 with its routing protocols.
Figure 4-3: A Simple OSPF Routing Architecture
In this example, routers North, East, and Central all share the same secret key,
r0utes-4-all, with a Key ID of 1. Each of these routers authenticates to each
other using the MD5 message digest authentication method, whose cryptographic
authentication type is denoted by a value of 2. Figure 4-4 shows how East
authenticates to North. East first builds an OSPF packet, both header and body. It
OSPF
Area 0
Internet
Central
East
Facility
Network
14.1.0.0/16
North
South
Second Floor
14.2.9.0/24
14.2.10.0/24
eth0/1
14.2.6.0/24
eth1
eth0/1
eth0
eth0/0
eth0/0
eth0/1
eth0/0
14.2.10.250/24
14.2.9.64/24
14.2.9.250/24
14.1.15.250/16
14.1.1.250/16
14.2.6.250/24
14.1.1.20/16
RIP
Autonomous System Border Router (ASBR)