Diniz Martins
Jan 302 min
Securing the routing information prevents an attacker from introducing false routing information into the network, which could be used as part of a Denial of Service (DoS) or Man-in-the-Middle (MiTM) attack. This can be mitigated in part by using password authentication with routing protocols between routers.
This post covers configuring OSPF and BGP authentication on Cisco IOS-XE routers/switches.
OSPF
Cisco IOS-XE routers supports both plaintext and cryptographic authentication using MD5 or SHA.
Plaintext Authentication
Plaintext authentication can be enabled per interface or globally in the OSPF process.
On one router OSPF authentication key is configured on the interface and OSPF authentication is enabled globally within the OSPF process.
On the other router the OSPF key and OSPF authentication is explicitly enabled on the interface.
MD5 Cryptographic Authentication
MD5 authentication can be configured two-ways, the example below demonstrates both ways to use MD5 authentication. You can use either MD5 authentication method, they work together, the only setting that must match is the password. Message-digest authentication and the message-digest key are explictly configured under the interface, as per the example below.
Instead of enabling MD5 authentication under the interface using ip ospf authentication message-digest you can also enable message-digest under the area.
The second method uses a key chain which is configured globally, this defines the lifetime, key-string and crypto algorithm. Authentication is then enabled under the interface referencing the MD5 key chain.
You can confirm OSPF authentication configuration, run the command show ip ospf interface <ifname>.
SHA Cryptographic Authentication
SHA Cryptographic authentication uses a key chain enabled on the OSPF interface. The key chain contains a list of keys, a key string (password), lifetime and the required cryptographic algorithm including SHA1, SHA256, SHA384 and SHA512.
The key chain is configured globally, defining the lifetime, key-string and algorithm.
Cryptographic authentication is enabled under the interface, referencing the configured key-chain.
You can confirm OSPF authentication configuration, run the command show ip ospf interface <ifname>.
BGP
MD5 authentication using the command neighbor <peer ip address> password <Password> is configured between BGP peers, SHA is not supported.
With external BGP peering to an ISP the device is open to attacks from the internet. An attacker could send a large number of TCP SYN packets to a BGP router to overwhelm the BGP process and CPU. To secure BGP from CPU exhaustion attacks you can use the TTL Security feature, this limits the number of hops for a BGP packet using the command neighbor <peer address> ttl-security hops <maximum hop count>