Wednesday, November 21, 2012

IPv6 OSPFv3 authentication ISR routers ( AH proto 51 )

We are going to look at the ipv6 ospf authentication per interface. To enable OPSFv3 authentication we need to realize that we are using AH ( proto51) and with using  the ipv6 authentication capabilities.

Over all it's quite simple to configure. 1st we need to enable ipv6 on the interface(s) that we are expecting OSPFv3 authentication on ( in my lab this was already done  earlier, so I'm skipping setting up OSPFv3 routing ).

Next,  we need to create a SPI  index number plus the selection of the md5/sha hash method and then finally the hex-data-string. The latter would be comparative to our key-strings in cisco ios keys. These items must match within  the router(s) and interfaces that are to be OPSFv3-authen enabled.



interface FastEthernet0/1
 description VRF custA to 3560#1 port gi 0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 ipv6 address 2002:100::2/64
 ipv6 enable
 ipv6 ospf cost 1000
 ipv6 ospf 10 area 0
 ipv6 ospf authentication ipsec spi 256 md5 AABBCCDDEEFFAABBCCDDEEFFAABBCCDD

 
Once we enable AH on our interfaces, we can now monitor via packet captures, and since this is  Cryptology, we can use the show crypto ipsec  cmds


And here's a dump of the  AH header via tshark & tcpdump . Notice the SPI and AH-ICV fields?


    Authentication Header
        Next Header: OSPF IGP (0x59)
        Length: 24
        AH SPI: 0x00000100
        AH Sequence: 43
        AH ICV: 01394B4859CB743CF6252970
Open Shortest Path First
    OSPF Header
        OSPF Version: 3
        Message Type: Hello Packet (1)
        Packet Length: 40
        Source OSPF Router: 2.2.2.2 (2.2.2.2)
        Area ID: 0.0.0.0 (Backbone)
        Packet Checksum: 0x1140 [correct]
        Instance ID: 0
        Reserved: 0
    OSPF Hello Packet
        Interface ID: 4
        Router Priority: 1
        Options: 0x000013 (R, E, V6)
            .... .... .... .... ..0. .... = DC: DC is NOT set
            .... .... .... .... ...1 .... = R: R is SET
            .... .... .... .... .... 0... = N: N is NOT set
            .... .... .... .... .... .0.. = MC: MC is NOT set
            .... .... .... .... .... ..1. = E: E is SET
            .... .... .... .... .... ...1 = V6: V6 is SET
        Hello Interval: 10 seconds
        Router Dead Interval: 40 seconds
        Designated Router: 2.2.2.2
        Backup Designated Router: 172.16.1.254
        Active Neighbor: 172.16.1.254
    Source: fe80::214:6aff:fec4:28ad (fe80::214:6aff:fec4:28ad)
    Destination: ff02::5 (ff02::5)
    Authentication Header
        Next Header: OSPF IGP (0x59)
        Length: 24
        AH SPI: 0x00000100
        AH Sequence: 44
        AH ICV: 80FA486B184EC2721FEDA05E
Open Shortest Path First
    OSPF Header
        OSPF Version: 3
        Message Type: Hello Packet (1)
        Packet Length: 40
        Source OSPF Router: 172.16.1.254 (172.16.1.254)
        Area ID: 0.0.0.0 (Backbone)
        Packet Checksum: 0x04d9 [correct]
        Instance ID: 0
        Reserved: 0
    OSPF Hello Packet
        Interface ID: 4
        Router Priority: 1
        Options: 0x000013 (R, E, V6)
            .... .... .... .... ..0. .... = DC: DC is NOT set
            .... .... .... .... ...1 .... = R: R is SET
            .... .... .... .... .... 0... = N: N is NOT set
            .... .... .... .... .... .0.. = MC: MC is NOT set
            .... .... .... .... .... ..1. = E: E is SET
            .... .... .... .... .... ...1 = V6: V6 is SET
        Hello Interval: 10 seconds
        Router Dead Interval: 40 seconds
        Designated Router: 2.2.2.2
        Backup Designated Router: 172.16.1.254
        Active Neighbor: 2.2.2.2


tcpdump 

18:10:20.552021 IP6 (flowlabel 0x0000e, hlim 1, next-header OSPF (89) payload length: 36) fe80::21f:caff:fef3:2111 > ff02::5: OSPFv3, Hello, length 36

        Router-ID 192.168.110.254, Backbone Area
        Options [V6, External, Router]
          Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.14, Priority 1
          Designated Router 192.168.110.254
          Neighbor List:

18:10:22.084776 IP6 (class 0xe0, hlim 1, next-header AH (51) payload length: 64) fe80::219:55ff:fe78:318d > ff02::5: AH(spi=0x00000100,sumlen=16,seq=0x20): OSPFv3, Hello, length 40

        Router-ID 2.2.2.2, Backbone Area
        Options [V6, External, Router]
          Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.4, Priority 1
          Designated Router 2.2.2.2, Backup Designated Router 172.16.1.254
          Neighbor List:
            172.16.1.254


As you can see with the 2 dumps, the details of the neighbors, timers, area,etc.... are in the clear. The AH provides no security or restrict the  exposures to the ospf data. It just ensure integrity of the players and for authentication of any OSPFv3 speakers.

Next, let explore the show crypto ipsec sa  cmd

ccie01#show crypto ipsec sa ipv6 int fas 0/1

interface: FastEthernet0/1

    Crypto map tag: (none), local addr FE80::214:6AFF:FEC4:28AD
   IPsecv6 policy name: OSPFv3-10-256
   IPsecv6-created ACL name: FastEthernet0/1-ipsecv6-ACL
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (FE80::/10/89/0)
   remote ident (addr/mask/prot/port): (::/0/89/0)
   current_peer :: port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 97, #pkts encrypt: 0, #pkts digest: 97
    #pkts decaps: 90, #pkts decrypt: 0, #pkts verify: 90
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: FE80::214:6AFF:FEC4:28AD, remote crypto endpt.: ::
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x100(256)
         
     inbound esp sas:
         
     inbound ah sas:
      spi: 0x100(256)
        transform: ah-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: SW:1, crypto map: (none)
        no sa timing
        replay detection support: N
        Status: ACTIVE
         
     inbound pcp sas:
         
     outbound esp sas:
         
     outbound ah sas:
      spi: 0x100(256)
        transform: ah-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: SW:2, crypto map: (none)
        no sa timing
        replay detection support: N
        Status: ACTIVE
         
     outbound pcp sas:


Looks farmilar to a regular  show crypto ipsec  sa  cmds that we use in  VPN :)

Things to watch out for;

  • the SPI# must match
  • the hash type must match
  • the hex-data string must match
  • and finally just like in ipv4, the timers must match

note: you must have a ios-codeset that supports crypto. The above where done on two cisco 1841 ISR with the following codeset;

ccie01#sh version | i oft
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(25f), RELEASE SOFTWARE (fc2)
ccie01#


But here's a ipv6 aware cisco 6500 that does support cryptology features;

LA1R01CR#show ver | i oftwa
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1)
BOOTLDR: s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1)
SuperLAT software (copyright 1990 by Meridian Technology Corp).
X.25 software, Version 3.0.0.
Bridging software.
TN3270 Emulation software.


But it does not offer OPSFv3 authentication;

LA1R01CR(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  cost                 Interface cost
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  mtu-ignore           Ignores the MTU in DBD packets
  neighbor             OSPF neighbor
  network              Network type
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state advertisements
  transmit-delay       Link state transmit delay


Nor does it support authentication globally




LA1R01CR(config-rtr)#?
  area                   OSPF area parameters
  auto-cost              Calculate OSPF interface cost according to bandwidth
  default                Set a command to its defaults
  default-information    Distribution of default information
  default-metric         Set metric of redistributed routes
  discard-route          Enable or disable discard-route installation
  distance               Administrative distance
  distribute-list        Filter networks in routing updates
  exit                   Exit from IPv6 routing protocol configuration mode
  ignore                 Do not complain about specific event
  log-adjacency-changes  Log changes in adjacency state
  maximum-paths          Forward packets over multiple paths
  no                     Negate a command or set its defaults
  passive-interface      Suppress routing updates on an interface
  process-min-time       Percentage of quantum to be used before releasing CPU
  redistribute           Redistribute IPv6 prefixes from another routing protocol
  router-id              router-id for this OSPF process
  summary-prefix         Configure IPv6 summary prefix
  timers                 Adjust routing timers


So keep that  thought in mind when designing your OSPFv3 topologies and before you enable IPv6 on your speakers. I've been burned numerous times, when deploying OPSFv3 +authentication into cisco core backbones.


Ken Felix
Your Freelance Network Security Engineer
kfelix " a t " hyperfeed.com



No comments:

Post a Comment