2.1.1 Ensure 'OSPF authentication' is enabled

Information

Enables the authentication of OSPF neighbor before routing information is received from the neighbor

Rationale:

Enabling the routing protocol authentication prevents against attackers who can send wrong routing information in order to redirect traffic to their network or send malformed packets in order to saturate and to exhaust the control plane.

Solution

Step 1: Acquire the interface <interface_name> used by the firewall to receive OSPF routing updates and the area ID <area_id>

Step 2: Agree with the neighbor device on the authencation key <key_value> and determine an authentication key ID <key_id>

Step 3: Run the following to enable OSPF authentication

hostname(config)#interface <interface_name>
hostname(config-if)#ospf authentication message-digest
hostname(config-if)#ospf message-digest-key <key_id> md5 <key_value>
hostname(config-if)#exit
hostname(config)#area <area_id> authentication message-digest

Default Value:

Disabled by default

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-2(1), 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: 861fe59fedfca3aaad83f3f0cfefbf7d14c27e40b118e30a9bd0cefa28e3918d