Grimnar’s Black Fangs. Magingald IV.
<<<.//TRNMSN.SEC.CH.412-a.\>>>
…buffering…
“The importance of security is paramount, Brother Captain. You must implement the right type of Authentication on our OSPF links. Our secure channels must stay open while we are besieged or all will be lost. The heretics will attempt to compromise your network and you must strengthen our defenses. Praise the Emperor and see you on the other side. Fang Leader Grimnar out”
OSPF authentication is setup under the interface. The command ip ospf authentication enables clear text authentication. Next command specifies the key, in this case cisco. The neighbors with expire due to authentication mismatch.
Now the same is configured on the opposite link and the neighbors agree on authentication and establish a neighbor relationship.
The command show ip ospf interface serial 0/0 shows that Simple password authentication is enabled.
Dangers lurk from beyond the void. If heretics manage to infiltrate the network a simple packet capture could be all that stops them from joining the OSPF process and tampering with your links. This capture of a OSPF hello packet shows the Auth Type: Simple Password. Also shows the Auth Data: cisco captured from the Hex information. 636973636f000000 translates into cisco. This is bad and a major security flaw that Fang Leader Grimnar wanted addressed.
The ip ospf authentication message-digest command initiates MD5 hashing on the pass key.
The passkey of cisco is set below with the ip ospf message-digest-key 1 md5 cisco
This is replicated on the other end of the link. The link expires and then comes back online using the MD5 key.
Above is verification of the implementation of the MD5 key.
Show above is the packet capture of the MD5 key in use. Before it had the plain text key of cisco clearly visible. Now there is Auth Type : Cryptographic which states cryptography is being used. Auth Data this time is hashed. No easy password extraction this time.
Here is the show running config of the router. Look there. Although we are using MD5 authentication out password is still visible. If the heretics broke into our config our Chapters passwords would be compromised.
This command will hash and ‘hide’ the passwords we using throughout our routers. Any password stored in clear text will be hashed.
As mentioned prior, the clear text passwords are now stored in a more secure fashion.
As our landing party has made it’s beachhead we now have established secure communication between our landing craft and the landing zone. Well done Brothers. This day is for the Emperor.