Details
OSPF Neighbors should be authenticated.
Rationale:
Where it is deployed, OSPF routing is vital for normal operation of an organization’s network infrastructure. Correct route information is required for routers to correctly direct traffic through the network. An attacker posing as one of the target routers OSPF neighbors may inject incorrect information into the route table resulting in DoS attack or loss of confidential data through a Man in the Middle attack.
On Juniper routers (as well as routers from other manufacturers such as Cisco or Brocade) it is possible to authenticate neighbors using an MD5 digest of elements in the update combined with a sequence number to protect against Replay attacks.
Authentication is configured on a per Interface basis when an interfaces is assigned to an OSPF area.
Solution
To configure MD5 based authentication, first configure the authentication type at the [edit protocols ospf area
] hierarchy (this step is not required on all versions of JUNOS):[edit protocols ospf area
][email protected]#set authentication-type md5
The key must then be configured for any interfaces in the area
[edit protocols ospf area
][email protected]#set interface
The parameter needs to be the same across all routers in the area and is there to provide a method for transitioning from old to new keys.
Default Value:
No OSPF routing is configured by default.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Juniper.