2.1.2 Ensure 'OSPF authentication' is enabled

Information

Enables the authentication of OSPF neighbor before routing information is received from the neighbor

Rationale:

Enabling the routing protocol authentication prevents against attackers who can send wrong routing information in order to redirect traffic to their network or send malformed packets in order to saturate and to exhaust the control plane.

Solution

* Step 1: Acquire the interface <interface_name> used by the firewall to receive OSPF routing updates and the area ID <area_id>
* Step 2: Agree with the neighbor device on the authencation key <key_value> and determine an authentication key ID <key_id>
* Step 3: Run the following to enable OSPF authentication

HOSTNAME(CONFIG)#INTERFACE <_interface_name_>
HOSTNAME(CONFIG-IF)# OSPF AUTHENTICATION MESSAGE-DIGEST
HOSTNAME(CONFIG-IF)# OSPF MESSAGE-DIGEST-KEY _<key_id>_ MD5 <key_value>
HOSTNAME(CONFIG-IF)#EXIT
HOSTNAME(CONFIG)#AREA _<area_id>_ AUTHENTICATION MESSAGE-DIGEST

See Also

https://workbench.cisecurity.org/files/1903

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv7|11.1

Plugin: Cisco

Control ID: e2f4c4391f8a01279156839d188cb83918783a8e4990bd3300b9dc3c85c01a63