4.4.1 Ensure OSPFv3 authentication is set to IPSEC SA - ipsec-sa

Information

OSPFv3 Neighbors should be strongly authenticated.

Rationale:

Where it is deployed, OSPFv3 routing is vital for normal operation of an organization's network infrastructure. Correct route information is required for routers to correctly direct traffic through the network.

An attacker posing as one of the target routers OSPFv3 neighbors may inject incorrect information into the route table resulting in DoS attack or loss of confidential data through a Man in the Middle attack.

OSPFv3 does not support MD5 HMAC based authentication, instead relying on IPSEC Security Associations to authenticate neighbors. This provides more robust authentication mechanisms and for, optional, encryption of routing data in transit.

A Manual IPSEC Security Association is formed between neighbors, using Authenticated Header (IP Protocol 51) with the strong SHA1-HMAC method to ensure that the updates were sent by trusted neighbors and were not changed in transit. Only AH is used to avoid the added overhead required to encrypt and decrypt the packets contents which ESP would entail. It is possible to use ESP in place of AH if encryption of routing information across an untrusted segment is required, but this can have a significant performance cost.

In 'dual stack' IPv4/IPv6 environments running both OSPFv2 for IPv4 routing and OSPFv3 for IPv6, it is common to use a single SA on a segment to provide authentication both protocols.

NOTE - Although M, T and MX series devices normally require a Services PIC or DPC installed to provide IPSEC VPNs, no additional hardware is required for IPSEC SA based authentication of OSPF neighbors.

Solution

To setup IPSEC SA based authentication, first configure a Security Association at the [edit security ipsec] hierarchy;

[edit security ipsec]
edit security-association <SA name>
set description <description>
set mode transport
set manual direction bidirectional protocol ah
set manual direction bidirectional algorithm hmac-sha1-96
set manual direction bidirectional authentication key <key>

The SA must be bi-directional and must be configured with the same parameters on all neighbors reachable on the intended interface.
Note that only Authenticated Header is configured in this example which provides mutual authentication but does not encrypt OSPFv3 protocol messages in transit.
Next configure IPSEC SA based authentication for one or more interfaces which OSPF will be run over from the [edit protocols ospfv3] hierarchy;

[edit protocols ospfv3]
user@host#set area <area number> interface <interface number> ipsec-sa <SA name>

Default Value:

No OSPFv3 routing is configured by default

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: 59916356e4e59d465a0e029f1074ba569687d2ea50b431f7dc1341eceaaf18da