Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.
All rights reserved. Cisco Press. Join Sign In. Date: Jul 13, Article Description One of the ways that a network can be exploited is by an attacker gaining access to a directly connected network line and directly influencing the route traffic takes to reach a destination.
For example, a route for traffic could be changed to route through a device that is able to capture the traffic and resend it leaving few footprints of attack. One of the methods that can be used to prevent these types of attack is the use of routing protocol authentication. Like this article? Step 1 Enter privileged mode. To configure MD5 authentication use the message-digest keyword. Return to Beginning. Overview Pearson Education, Inc. Collection and Use of Information To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including: Questions and Inquiries For inquiries and questions, we collect the inquiry or question, together with name, contact details email address, phone number and mailing address and any other additional information voluntarily submitted to us through a Contact Us form or an email.
Surveys Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Contests and Drawings Occasionally, we may sponsor a contest or drawing. Newsletters If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information ciscopress.
Service Announcements On rare occasions it is necessary to send out a strictly service related announcement. Customer Service We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.
Other Collection and Use of Information Application and System Logs Pearson automatically collects log data to help ensure the delivery, availability and security of this site.
Web Analytics Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site.
Cookies and Related Technologies This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Security Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure. Children This site is not directed to children under the age of Marketing Pearson may send or direct marketing communications to users, provided that Pearson will not use personal information collected or processed as a K school service provider for the purpose of directed or targeted advertising.
Such marketing is consistent with applicable law and Pearson's legal obligations. Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing. Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn. Sale of Personal Information Pearson does not rent or sell personal information in exchange for any payment of money.
Supplemental Privacy Statement for California Residents California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice.
Sharing and Disclosure Pearson may disclose personal information, as follows: As required by law. Links This web site contains links to other sites. Requests and Contact Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information. Last Update: November 17, Email Address. About Affiliates Cisco Systems, Inc. Unfortunately, OSPFv2 does not have a procedure for dealing with sequence numbers reaching the maximum value.
It may be possible to figure out a set of rules sufficient to disrupt the damage of packet replays while minimizing the use of the sequence number space. As mentioned previously, when an adjacency is dropped, replay state is lost. So, after rebooting or when all adjacencies are lost, a router may allow its sequence number to decrease.
An attacker can cause significant damage by replaying a packet captured before the sequence number decrease at a time after the sequence number decrease. If this happens, then the replayed packet will be accepted and the sequence number will be updated. However, the legitimate sender will be using a lower sequence number, so legitimate packets will be rejected.
A similar attack is possible in cases where OSPF identifies a neighbor based on source address. An attacker can change the source address of a captured packet and replay it. If the attacker causes a replay from a neighbor with a high sequence number to appear to be from a neighbor with a low sequence number, then connectivity with that neighbor will be disrupted until the adjacency fails.
As such, OSPFv3 has no defense against denial-of- service attacks that exploit replay. Gap Analysis and Specific Requirements The design guide requires each design team to enumerate a set of requirements for the routing protocol. The only concerns identified with OSPF are areas in which it fails to meet the general requirements outlined in the threats and requirements document.
This section explains how some of these general requirements map specifically onto the OSPF protocol and enumerates the specific gaps that need to be addressed.
There is a general requirement for inter-connection replay protection. In the context of OSPF, this means that if an adjacency goes down between two neighbors and later is re-established, replaying packets from before the adjacency went down cannot disrupt the adjacency.
In terms of meeting the requirements for intra-connection and inter-connection replay protection, a significant gap exists between the optimal state and where OSPF is today. This is another gap that needs to be addressed. Because the replay protection will depend on neighbor identification, the replay protection cannot be adequately addressed without handling this issue as well.
In order to encourage deployment of OSPFv3 security, an authentication option is required that does not have the deployment challenges of IPsec. In order to support the requirement for simple pre-shared keys, OSPF needs to make sure that when the same key is used for two different purposes, no problems result.
In order to support packet prioritization, it is desirable for the information needed to prioritize OSPF packets the packet type to be at a constant location in the packet. This solution would have the following improvements over the existing OSPFv2 option: Address most inter-connection replay attacks by splitting the sequence number and requiring preservation of state so that the sequence number increases on every packet. Add a form of simple key derivation so that if the same pre-shared key is used for OSPF and other purposes, cross-protocol attacks do not result.
Specify processing rules sufficient to permit replay detection and packet prioritization. Emphasize requirements already present in the OSPF specification sufficient to permit key migration without disrupting adjacencies. Specify the proper use of the key table for OSPF. Require that sequence numbers be incremented on each packet.
The key components of this solution work are already underway. In analyzing proposed improvements to OSPF per-packet security, it is desirable to consider how these improvements interact with potential improvements in overall routing security.
For example, the impact of replay attacks currently depends on the LSA sequence number mechanism. If cryptographic protections against insider attackers are considered by future work, then that work will need to provide a solution that meets the needs of the per-packet replay defense as well as protects routing data from insider attack.
It may be beneficial to consider how improvements to the per-packet protections would interact with such a mechanism to future-proof these mechanisms. Implementations have a number of options in minimizing the potential denial-of-service impact of OSPF cryptographic authentication.
Using this mechanism requires support of the sender; new OSPF cryptographic authentication could specify this behavior if desired. Alternatively, implementations can limit the source addresses from which they accept packets. Non-Hello packets need only be accepted from existing neighbors. If a system is under attack, Hello packets from existing neighbors could be prioritized over Hello packets from new neighbors.
These mechanisms can be considered to limit the potential impact of denial-of-service attacks on the cryptographic authentication mechanism itself. Acknowledgements Funding for Sam Hartman's work on this memo was provided by Huawei.
References 8. Two of the most common authentications when working with business-grade routers. Today, we will dive into configuring these authentications as well as looking at verification commands. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a "Denial-of-Service" attack. Three types of OSPF can be configured:. If you have a small to medium sized network, a distance-vector protocol may be the right protocol.
In virtual environment , we have built four labs targeted specifically to various tests, networks, and skills before you put anything in place in your network. When Clear Text is configured, it leaves the internetwork vulnerable to a "sniffer attack" — where packets are captured by a protocol analyzer and the passwords can be identified. When security is your highest priority, you guessed it, this is NOT your go-to configuration. However, it is useful when you perform OSPF reconfiguration.
For example, separate passwords can be used on older and newer OSPF routers that share a common broadcast network to prevent them from talking to each other. MD5 authentication provides higher security than plain text authentication.
This method uses the MD5 algorithm to compute a hash value from the contents of the OSPF packet and a password or key. The hash value is transmitted in the packet, along with a key ID and a non-decreasing sequence number. The receiver, which knows the same password, calculates its own hash value.
0コメント