OSPF/OSPFv3

Security Policy

OSPF/OSPFv3 packet authentication

OSPF/OSPFv3 supports packet authentication. Only the packets that are authenticated are accepted. If packets fail to be authenticated, a neighbor relationship cannot be established. When area authentication is used, all the routers in an area must have the same area authentication mode and password. Interface authentication is implemented by setting an authentication mode and password between neighboring routers. Interface authentication takes precedence over area authentication.

OSPFv3 IPsec

Relevant standards (Authentication/Confidentiality for OSPFv3) define the use of the IP Security (IPsec) mechanism to authenticate OSPFv3 packets.

  • Confidentiality: ESP is used to provide confidentiality. When confidentiality is enabled, a device discards the OSPFv3 packets that are not protected with ESP and the packets that fail confidentiality checks.

  • Data authentication: When OSPFv3 authentication is enabled, a device discards the OSPFv3 packets that are not protected with AH or ESP and the packets that fail authentication checks.

All OSPFv3 instances running over the same interface use the same SA.

OSPFv3 starts sending packets using IPsec authentication and notifies the lower layers to check received packets with IPsec authentication. The lower layers will check all the received packets, and the packets which fail the check will be discarded silently.

Attack Methods

OSPF

OSPF is attacked mainly through forged packets. To identify and discard these packets, authentication can be configured.

An attacker may use the following methods to initiate attacks:

  • Change the aging time of a packet to the maximum aging time so that all routers flush this packet.

  • Advertise the LSAs with valid Max Sequence Numbers or packets similar to valid LSAs.

  • Change the sequence number when the state of the encryption sequence number resets during a neighbor router restart.

  • Change peer list information in a Hello packet.

OSPFv3

  • DoS attacks

    When a DoS attack occurs, the router obtains OSPFv3 protocol packets from the remote path. These packets will be processed by an I/O board and sent to a main control board on which they will be dropped by OSPFv3. This wastes bandwidth and CPU resources and reduces system performance.

  • Injection of incorrect routing information

    OSPFv3 accepts all packets from valid sources. A device may be attacked by OSPFv3 packets with invalid or incorrect routing information. Such information may cause errors when the route database is running, resulting in network failures. OSPFv3-IPsec authentication can be used to prevent this problem. When IPsec is configured for OSPFv3 on both communicating neighbors, OSPFv3 will process packets only if the packets are authenticated, which prevents OSPFv3 from accepting incorrect routing data from unauthenticated neighbors.

Configuration and Maintenance Methods

  • Configure OSPF area authentication.

    1. Run system-view

      The system view is displayed.

    2. Run ospf [ process-id ]

      The OSPF view is displayed.

    3. Run area area-id

      The OSPF area view is displayed.

    4. Run any of the following commands:

      • To configure simple authentication for the OSPF area, run the authentication-mode simple [ [ plain ] plain-text | [ cipher ] cipher-text ] command.

      • To configure ciphertext authentication for the OSPF area, run the authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ] command.

      • To configure keychain authentication for the OSPF area, run the authentication-mode keychain keychain-name command.

        Before using keychain authentication, you need to run the keychain command to create a keychain, and then run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm, respectively, for this keychain. Otherwise, OSPF authentication will fail.

        For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 and HMAC-MD5 algorithm is recommended.

    5. Run commit

      The configuration is committed.

  • Configure OSPF interface authentication.

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The OSPF interface view is displayed.

    3. Run any of the following commands:

      • To configure simple authentication for the OSPF interface, run the ospf authentication-mode simple [ [ plain ] plain-text | [ cipher ] cipher-text ] command.

      • To configure ciphertext authentication for the OSPF interface, run the ospf authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ] command.

      • To configure keychain authentication for the OSPF interface, run the ospf authentication-mode keychain keychain-name command.

        Before using keychain authentication, you need to run the keychain command to create a keychain, and then run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm, respectively, for this keychain. Otherwise, OSPF authentication will fail.

        For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 and HMAC-MD5 algorithm is recommended.

      • Run ospf authentication-mode null

        The OSPF interface does not perform authentication.

    4. Run commit

      The configuration is committed.

  • Configure OSPFv3 area authentication.

    1. Run system-view

      The system view is displayed.

    2. Run ospfv3 [ process-id ]

      The OSPFv3 view is displayed.

    3. Run area area-id

      The OSPFv3 area view is displayed.

    4. Configure an authentication mode for the OSPFv3 area as required.

      • To configure the HMAC-SHA256 or HMAC-SM3 authentication mode for the OSPFv3 area, run the authentication-mode { hmac-sha256 | hmac-sm3 } key-id KeyId { plain PlainText | [ cipher ] CipherText } command.

        If you choose plain, the password will be saved as a cleartext in the configuration file, which provokes high security risks. To improve system security, choose ciphertext authentication and change the password periodically.

    5. Run commit

      The configuration is committed.

  • Configure OSPFv3 process authentication.

    1. Run system-view

      The system view is displayed.

    2. Run ospfv3 [ process-id ]

      The OSPFv3 view is displayed.

    3. Configure an authentication mode for the OSPFv3 process as required.
      • To configure the HMAC-SHA256 or HMAC-SM3 authentication mode for the OSPFv3 process, run the authentication-mode { hmac-sha256 | hmac-sm3 } key-id KeyId { plain PlainText | [ cipher ] CipherText } command.

        If you choose plain, the password will be saved as a cleartext in the configuration file, which provokes high security risks. To improve system security, choose ciphertext authentication and change the password periodically.

    4. Run commit

      The configuration is committed.

  • Configure OSPFv3 interface authentication.

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Configure an authentication mode for the OSPFv3 interface as required.
      • To configure the HMAC-SHA256 or HMAC-SM3 authentication mode for the OSPFv3 interface, run the ospfv3 authentication-mode { hmac-sha256 | hmac-sm3 } key-id KeyId { plain PlainText | [ cipher ] CipherText } [ instance instanceId ] command.

        If you choose plain, the password will be saved as a cleartext in the configuration file, which provokes high security risks. To improve system security, choose ciphertext authentication and change the password periodically.

    4. Run commit

      The configuration is committed.

  • OSPFv3 IPsec authentication

    1. Configure an IPsec proposal.

      1. Run system-view

        The system view is displayed.

      2. Run ipsec proposal proposal-name

        An IPsec proposal is created, and the IPsec proposal view is displayed.

      3. (Optional) Run transform { ah | esp | ah-esp }

        A security protocol is configured.

      4. Run esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }
        An authentication algorithm used for ESP is configured.

        To ensure high security, do not use the MD5 algorithm as the ESP authentication algorithm.

        You can configure an authentication algorithm for a security protocol only after the security protocol is selected using the transform command.

      5. Run esp encryption-algorithm { 3des | des | aes [ 128 | 192 | 256 ] }

        An encryption algorithm used for ESP is configured.

        The encryption algorithms DES/3DES have a low security, which may bring security risks. If protocols allowed, using more secure encryption algorithms, such as AES, is recommended.

      6. Run encapsulation-mode transport

        The packet encapsulation mode is configured.

      7. Run commit

        The configuration is committed.

    2. Configure an IPsec SA.

      1. Run system-view

        The system view is displayed.

      2. Run ipsec sa sa-name

        An SA is created, and the IP security association view is displayed.

      3. Run proposal proposal-name

        A proposal is applied to the SA.

      4. Run sa spi { inbound | outbound } { ah | esp } spi-number

        Security parameter indexes (SPIs) are configured.

        The SPI uniquely identifies the SA. An application sets this value in every outgoing packet. The incoming packets are validated against this SPI.

      5. Run either of the following commands:
        1. To configure an authentication key in the format of hexadecimal numerals, run the sa authentication-hex { inbound | outbound } { ah | esp } [ cipher ] hex-cipher-key command.
        2. To configure an authentication key in the format of a character string, run the sa string-key { inbound | outbound } { ah | esp } [ cipher ] string-cipher-key command.

      6. Run commit

        The configuration is committed.

    3. Enable OSPFv3 IPsec.
      • Enable IPsec in the OSPFv3 process.

        1. Run system-view

          The system view is displayed.

        2. Run ospfv3 [ process-id ]

          The OSPFv3 view is displayed.

        3. Run ipsec sa sa-name

          The SA is enabled in the OSPFv3 process.

          An OSPFv3 process can be associated with multiple OSPFv3 areas. An SA applied in the OSPFv3 process can be used in the associated areas.

        4. Run commit

          The configuration is committed.

      • Enable IPsec in an OSPFv3 area.

        1. Run system-view

          The system view is displayed.

        2. Run ospfv3 [ process-id ]

          The OSPFv3 view is displayed.

        3. Run area area-id

          The OSPFv3 area view is displayed.

        4. Run ipsec sa sa-name

          The SA is enabled in the OSPFv3 area.

          The SA configured on an OSPFv3 area takes precedence over that configured in an OSPFv3 process.

        5. Run commit

          The configuration is committed.

Parent Topic: Control Plane
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >