3.1.3.2 Authenticate OSPF peers with MD5 authentication keys

Information

If OSPF is configured, peers can be authenticated using keys. This is not configured by default. If configured, MD5 hashes are recommended as the authentication mechanism. MD5 is the best option for multi-vendor support, and is also the best cryptographic option available in the OSPF standard.

Rationale:

Impact:

Because OSPF is a multicast protocol, any device can advertise OSPF capabilities and routes, and by default all connected OSPF devices will honor those advertisements. This means that a malicious actor can advertise bogus routes to valid hosts or networks, allowing the interception and modification of traffic intended for those hosts or subnets.

For this reason it is important that OSPF endpoints authenticate to each other, ensuring that only valid routers can participate in the exchange of routes.

Solution

For each OSPF routeable interface, set the message-digest authentication method, and assign the appropriate keychain.
Each OSPF routeable interface should either have authentication configured or be configured as an OSPF passive interface.

switch(config)# interface Vlan1
switch(config-int)# ip ospf authentication message-digest
switch(config-int)# ip ospf authentication key-chain <OSPF Key Chain>

Default Value:

By default, OSPF authentication is not enabled by default.

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|AC-18, 800-53|AC-18(1), 800-53|AC-18(3), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|11

Plugin: Cisco

Control ID: a7da7185c3caaf27eee30a1218b83b36ced6b6d220a864c1d0e762e4c918bb43