12-07-2017 10:26 AM - edited 03-05-2019 09:36 AM
Hello,
I am studying for my CCNA Security and just came across a video talking about OSPF Authentication, but didn't really explain why it would be used.
I know the purpose behind it is to send the routing updates securely, but why would you need this, if all other aspects of your network are secured?
Solved! Go to Solution.
12-07-2017 11:28 AM - edited 12-07-2017 01:56 PM
Hi
A good best practice is use specific /32 networks into the routing protocols to create adjacencies but imagine some network administrator have the following config:
interface g0/0
description TO-HQ
ip address 10.0.10.2 255.255.255.0
no shutdown
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
or
network 0.0.0.0 255.255.255.255 area 0
All the network could be receive routing information or create adjacency with rogue devices (not authorized devices) over some network 10.x.x.x. From my point of view good practices are:
- Configure as passive LAN interfaces
- Set up the specific IP address to create adjacency, for example use: 10.0.10.2 0.0.0.0
- Authentication creates a protection layer to avoid any misconfiguration, So not all the device will be able to participate into the routing domain without a password.
Hope it is useful
:-)
12-07-2017 11:24 AM
Essentially, authentication is used to recognize which router can participate exchanging OSPF messages. For instance, a company has 4 routers and for security reasons, they are going to use OSPF authentication. Every router will have the same password and key id, so they are going to form a OSPF neighborhood. Let's say a fifth router is connected to the network with no good intention (it is connected to inject fake routes to fake sites.) If that router does not have the same password and same key id, it will never participate into the OSPF messages and obviously, it will never modify the routes.
12-07-2017 11:28 AM - edited 12-07-2017 01:56 PM
Hi
A good best practice is use specific /32 networks into the routing protocols to create adjacencies but imagine some network administrator have the following config:
interface g0/0
description TO-HQ
ip address 10.0.10.2 255.255.255.0
no shutdown
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
or
network 0.0.0.0 255.255.255.255 area 0
All the network could be receive routing information or create adjacency with rogue devices (not authorized devices) over some network 10.x.x.x. From my point of view good practices are:
- Configure as passive LAN interfaces
- Set up the specific IP address to create adjacency, for example use: 10.0.10.2 0.0.0.0
- Authentication creates a protection layer to avoid any misconfiguration, So not all the device will be able to participate into the routing domain without a password.
Hope it is useful
:-)
12-08-2017 06:13 AM
12-07-2017 01:02 PM
Hello
@rdanieldrew1 wrote:
Hello,
I am studying for my CCNA Security and just came across a video talking about OSPF Authentication, but didn't really explain why it would be used.
I know the purpose behind it is to send the routing updates securely, but why would you need this, if all other aspects of your network are secured?
Basically to protect unwarranted ospf adjacencies from from forming within your ospf processes/domain and also protect these rtrs from exchanging routing updates to unwarranted ospf peers
res
Paul
12-07-2017 01:05 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide