26 March 2010

Router Neighbor Authentication

The primary purpose of router neighbor authentication is to protect the integrity of a routing domain. In this case, authentication occurs when two neighboring routers exchange routing information. Authentication ensures that the receiving router incorporates into its tables only the route information that the trusted sending router really intended to send. It prevents a legitimate router from accepting and then employing unauthorized, malicious, or corrupted routing updates that would compromise the security or availability of a network. Such a compromise might lead to re-routing of traffic, a denial of service, or simply giving access to certain packets of data to an unauthorized person.

OSPF Authentication

Router neighbor authentication is a mechanism that, when applied correctly, can prevent many routing attacks. Each router accomplishes authentication by the possession of an authentication key. That is, routers connected to the same network segment all use a shared secret key. Each sending router then uses this key to ‘sign’ each route table update message. The receiving router checks the shared secret to determine whether the message should be accepted. This sub-section describes the implementation of router neighbor authentication in OSPF, because it is a good illustration of the basic principle; authentication in RIP version 2 and EIGRP work in a similar fashion.

OSPF uses two types of neighbor authentication: plaintext and message digest (MD5). Plaintext authentication uses a shared secret key known to all the routers on the network segment. When a sending router builds an OSPF packet, it signs the packet by placing the key as plaintext in the OSPF header. The receiving router then compares the received key against the key in memory. If the keys match, then the router accepts the packet. Otherwise, the router rejects the packet. This method does not provide much security because the key is in plaintext in the packet. Using this method reveals the secret key to any attacker using a network sniffer on the right LAN segments. Once an attacker captures the key, they can pose as a trusted router.

The second, and more secure method, is message digest authentication. Figure 4-3 shows our example network with its routing protocols.



























In this example, routers North, East, and Central all share the same secret key, r0utes-4-all, with a Key ID of 1. Each of these routers authenticates to each other using the MD5 message digest authen-tication method, whose cryptographic authentication type is denoted by a value of 2.

OSPF Plaintext Authentication

This method is not recommended, use the superior MD5 method.

OSPF MD5 Authentication

The example below illustrates an example of setting up MD5 for OSPF router neighbor authentication. The example transcripts below show routers North and East receiving the key r0utes-4-all. In practice, all the routers participating in a given network should be configured in the same way, using the same key. Using the example network shown in Figure 4-1, router Central would also have to be configured with MD5 authentication and the same shared key as shown below.

North# config t
Enter configuration commands, one per line. End with CNTL/Z.
North(config)# router ospf 1
North(config-router)# network 14.1.0.0 0.0.255.255 area 0
North(config-router)# area 0 authentication message-digest
North(config-router)# exit
North(config)# int eth0/1
North(config-if)# ip ospf message-digest-key 1 md5 r0utes-4-all
North(config-if)# end
North#

East# config t
Enter configuration commands, one per line. End with CNTL/Z.
East(config)# router ospf 1
East(config-router)# area 0 authentication message-digest
East(config-router)# network 14.1.0.0 0.0.255.255 area 0
East(config-router)# network 14.2.6.0 0.0.0.255 area 0
East(config-router)# exit
East(config)# int eth0
East(config-if)# ip ospf message-digest-key 1 md5 r0utes-4-all
East(config-if)# end
East#

RIP Authentication

The RIP routing protocol also supports authentication to prevent routing attacks. RIP’s method of authentication is very similar to that of OSPF, although the IOS commands are somewhat different. The neighboring RIP routers use shared secret keys. Each sending router uses these keys to generate the cryptographic hash incorporated into each RIP update message. The receiving router then uses the shared secret to check the hash and determine whether the message should be accepted.

RIP Plaintext Authentication

This method is not recommended, use the superior MD5 method, below.

RIP MD5 Authentication

The example below illustrates an example of setting up MD5 for RIP router neighbor authentication. The example transcripts below show routers from Figure 4-3, Central and South, receiving the key mysupersecret-key, contained in their respective key chains. In practice, all the routes connected to a given network must be configured in the same way. That is, all of them must possess the same shared key(s).

Prior to enabling RIP MD5 authentication, each neighboring router must have a shared secret key. RIP manages authentication keys by the use of key chains. A key chain is a container that holds multiple keys with the associated key IDs and key lifetimes. Multiple keys with different lifetimes can exist. However, only one authentication packet is sent. The router examines the key numbers in order from lowest to highest, and uses the first valid key that is encountered. In the example below, Central and South have key chains named CENTRAL-KC and SOUTH-KC. Both key chains share the keys my-supersecret-key and my-othersecret-key. However, both routers will only use the first valid key. The other key is usually used when migrating to different keys.

Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# key chain CENTRAL-KC
Central(config-keychain)# key 1
Central(config-keychain-key)# key-string my-supersecret-key
Central(config-keychain-key)# exit
Central(config-keychain)# key 2
Central(config-keychain-key)# key-string my-othersecret-key
Central(config-keychain-key)# end
Central#

South# config t
Enter configuration commands, one per line. End with CNTL/Z.
South(config)# key chain SOUTH-KC
South(config-keychain)# key 1
South(config-keychain-key)# key-string my-supersecret-key
South(config-keychain-key)# exit
South(config-keychain)# key 2
South(config-keychain-key)# key-string my-othersecret-key
South(config-keychain-key)# end
South#

RIP version 1 did not support authentication. This was a feature that was included in RIP version 2. Each RIP router must first be configured to use version 2 in order to enable authentication during routing updates. The example below shows how to enable ver 2 of RIP.

Central# config t
Enter configuration commands, one per line.
Central(config)# router rip
Central(config-router)# version 2
Central(config-router)# network 14.0.0.0
Central(config-router)# end
Central#

South# config t
Enter configuration commands, one per line. End with CNTL/Z.
South(config)# router rip
South(config-router)# version 2
South(config-router)# network 14.0.0.0
South(config-router)# end
South#

Finally, the example below shows how to enable authentication for RIP. Authentication for RIP is enabled on the interfaces. In the example below, Central will be using the key chain CENTRAL-KC that was created earlier and the MD5 method of authentication.

Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# int ethernet0/1
Central(config-if)# ip rip authentication key-chain CENTRAL-KC
Central(config-if)# ip rip authentication mode md5
Central(config-if)# end
Central#

South# config t
Enter configuration commands, one per line. End with CNTL/Z.
South(config)# int ethernet0/0
South(config-if)# ip rip authentication key-chain SOUTH-KC
South(config-if)# ip rip authentication mode md5
South(config-if)# end
South#

EIGRP Authentication

EIGRP route authentication is provided through the use of a keyed Message Digest 5 (MD5) hash. This insures the integrity of routing messages accepted from neighboring routers. To configure EIGRP authentication:

1. Select the MD5 authentication mode.

2. Enable authentication for EIGRP messages.

3. Specify the key chain, key number, and key string to be used.

4. Configure key management (optional).

The example below details the steps necessary to configure MD5 authentication on two EIGRP peers, North and East. Initially, EIGRP is configured on both routers for the 14.1.0.0/16 network. Proceeding into the interface configuration mode, MD5 authentication is enabled within autonomous system 100 and linked to a particular key chain. Router North’s key chain is defined as northkc and router East’s key chain is named eastkc. The key chain name is locally significant and neighboring routers do not have to be configured with the same name. Finally, the key chain is defined within key chain configuration mode consisting of a key name, key number, and  key string. In this example, Router North has associated key number 1 with the key-string ‘secret-key’. Key management is optionally configured with the accept-lifetime and send-lifetime commands. In this case, the routers will send updates authenticated with the key ‘my-secret-key’ from October 1, 2003 until January 1, 2004; it will accept updates with that key until January 7, 2004. The examples below show how to configure EIGRP authentication and keys.

North# config t
Enter configuration commands, one per line.End with CNTL/Z.
North(config)# router eigrp 100
North(config-router)# network 14.1.0.0 255.255.0.0
North(config-router)# exit
North(config)# interface eth 0/1
North(config-if)# ip authentication mode eigrp 100 md5
North(config-if)# ip authentication key-chain eigrp 100 NORTH-KC
North(config-if)# exit
North(config)# key chain NORTH-KC
North(config-keychain)# key 1
North(config-keychain-key)# key-string my-secret-key
North(config-keychain-key)# send-lifetime
00:00:00 Oct 1 2003 00:00:00 Jan 1 2004
North(config-keychain-key)# accept-lifetime 00:00:00 Oct 1 2003
00:00:00 Jan 7 2004
North(config-keychain-key)# end
North#

East# config t
Enter configuration commands, one per line. End with CNTL/Z.
East(config)# router eigrp 100
East(config-router)# network 14.1.0.0 255.255.0.0
East(config-router)# network 14.2.6.0 255.255.255.0
East(config-router)# passive-interface eth1
East(config-router)# exit
East(config)# interface eth 0
East(config-if)# ip authentication mode eigrp 100 md5
East(config-if)# ip authentication key-chain eigrp 100 EAST-KC
East(config-if)# exit
East(config)# key chain EAST-KC
East(config-keychain)# key 1
East(config-keychain-key)# key-string my-secret-key
East(config-keychain-key)# send-lifetime
00:00:00 Oct 1 2003 00:00:00 Jan 1 2004
East(config-keychain-key)# accept-lifetime 00:00:00 Oct 1 2003
00:00:00 Jan 7 2004
East(config-keychain-key)# end
East#

It is important to note that each key string is associated with a specific key number. In the example above, the key-string “secret-key” is associated with key number 1. Multiple keys and key-strings can be configured on a router, but only one authentication packet is sent. The router chooses the first valid key while examining the key numbers from lowest to highest.



biOos
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)