top of page
Writer's pictureDiniz Martins

Securing IOS-XE Routing Protocols

Securing the routing information prevents an attacker from introducing false routing information into the network, which could be used as part of a Denial of Service (DoS) or Man-in-the-Middle (MiTM) attack. This can be mitigated in part by using password authentication with routing protocols between routers.


This post covers configuring OSPF and BGP authentication on Cisco IOS-XE routers/switches.


OSPF

Cisco IOS-XE routers supports both plaintext and cryptographic authentication using MD5 or SHA.


Plaintext Authentication

Plaintext authentication can be enabled per interface or globally in the OSPF process.


On one router OSPF authentication key is configured on the interface and OSPF authentication is enabled globally within the OSPF process.

interface GigabitEthernet0/0

 ip address 192.168.251.2 255.255.255.252

 ip ospf authentication-key Cisco1234

 ip ospf network point-to-point

 ip ospf 1 area 0

 !

 router ospf 1

 area 0 authentication

On the other router the OSPF key and OSPF authentication is explicitly enabled on the interface.

interface GigabitEthernet0/1

 ip address 192.168.251.1 255.255.255.252

 ip ospf authentication

 ip ospf authentication-key Cisco1234

 ip ospf network point-to-point

 ip ospf 1 area 0


MD5 Cryptographic Authentication

MD5 authentication can be configured two-ways, the example below demonstrates both ways to use MD5 authentication. You can use either MD5 authentication method, they work together, the only setting that must match is the password. Message-digest authentication and the message-digest key are explictly configured under the interface, as per the example below.

interface GigabitEthernet0/0

 ip address 192.168.251.2 255.255.255.252

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 Cisco1234

 ip ospf network point-to-point

 ip ospf 1 area 0

Instead of enabling MD5 authentication under the interface using ip ospf authentication message-digest you can also enable message-digest under the area.

router ospf 1

 area 0 authentication message-digest

The second method uses a key chain which is configured globally, this defines the lifetime, key-string and crypto algorithm. Authentication is then enabled under the interface referencing the MD5 key chain.

key chain OSPF-MD5

 key 1

 key-string Cisco1234

 send-lifetime 00:00:00 Jan 1 2023 infinite

 cryptographic-algorithm md5

!

interface GigabitEthernet0/1

 ip address 192.168.251.1 255.255.255.252

 ip ospf authentication key-chain OSPF-MD5

 ip ospf network point-to-point

 ip ospf 1 area 0

You can confirm OSPF authentication configuration, run the command show ip ospf interface <ifname>.


SHA Cryptographic Authentication

SHA Cryptographic authentication uses a key chain enabled on the OSPF interface. The key chain contains a list of keys, a key string (password), lifetime and the required cryptographic algorithm including SHA1, SHA256, SHA384 and SHA512.


The key chain is configured globally, defining the lifetime, key-string and algorithm.

key chain OSPF

key 1

key-string Cisco1234

send-lifetime 00:00:00 Jan 1 2023 infinite

 cryptographic-algorithm hmac-sha-256

Cryptographic authentication is enabled under the interface, referencing the configured key-chain.

interface GigabitEthernet0/0

ip address 192.168.251.2 255.255.255.252

 ip ospf authentication key-chain OSPF

ip ospf network point-to-point

ip ospf 1 area 0


You can confirm OSPF authentication configuration, run the command show ip ospf interface <ifname>.


 

BGP

MD5 authentication using the command neighbor <peer ip address> password <Password> is configured between BGP peers, SHA is not supported.

router bgp 65000

bgp log-neighbor-changes

neighbor 192.168.250.2 remote-as 65001

 neighbor 192.168.250.2 password Cisco1234

With external BGP peering to an ISP the device is open to attacks from the internet. An attacker could send a large number of TCP SYN packets to a BGP router to overwhelm the BGP process and CPU. To secure BGP from CPU exhaustion attacks you can use the TTL Security feature, this limits the number of hops for a BGP packet using the command neighbor <peer address> ttl-security hops <maximum hop count>

router bgp 65001

neighbor 192.168.250.1 remote-as 65000

neighbor 192.168.250.1 password Cisco1234

 neighbor 192.168.250.1 ttl-security hops 2



73 views0 comments

Recent Posts

See All

Understanding CIMC for Cisco ISE

Cisco Integrated Management Controller (CIMC) is a crucial component for managing and monitoring Cisco UCS servers, including those used...

Cisco Duo Log Sync (DLS)

Duologsync (DLS) is a utility written by Duo Security that supports fetching logs from Duo endpoints and ingesting them to different...

Comments


bottom of page