V tomto článku rozoberieme MD5 OSPF autentifikáciu a jej overenie na smerovačoch Cisco. Simulácia bude vykonaná v nástroji Dynamips/Dynagen .
Spôsoby autentifikácie
Na Cisco smerovačoch sú podporované dve metódy autentifikácie SOPF smerovačov
- Plain text
- MD5
Pri konfigurácii autentifikácie musí celá area používať rovnaký typ autentifikácie. Heslá musia byť zhodné na per interface báze medzi susedmi.
Topológia
Použitá bude následujúca topológia, OSPF area 0. Smerovače majú vykonanú len základnú konfiguráciu (IP adresy, mená, OSPF routing). Oba smerovače budú mať loopback na zabezpčenie stability OSPF.
|—-FA0/0-(192.168.1.0/24)—-|Left|—-s1/0—-(192.168.2.0/24)—-s1/0—-|Right|—-Fa0/0-(192.168.3.0/24)—-|
Dynagen konfig
# Hypervisor: 30000 – 30999
# UDP: 30000
# Konzoly: 3000 – 3099
autostart = False
ghostios = True
sparsemem = True
[localhost:30000]
workingdir = /home/segi/Topo2/Work
udp = 30000
[[2691]]
ram = 128
image = /Topologies/IOSes/c2691-advipservicesk9-mz.124-12.bin.unp
slot1 = NM-4T
confreg = 0x2142
[[ROUTER R1]]
model = 2691
s1/0 = R2 s1/0
console = 3001
[[ROUTER R2]]
model = 2691
console = 3002
Základná konfigurácia smerovačov
Smerovač Left
Router>ena
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host Left
Left(config)#int loo 0
*Mar 1 00:00:46.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
Left(config-if)#ip add 1.1.1.1 255.255.255.255
Left(config-if)#no shut
Left(config-if)#int fa 0/0
Left(config-if)#ip add 192.168.1.1 255.255.255.0
Left(config-if)#no shut
Left(config-if)#no keepalive
*Mar 1 00:01:23.335: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:01:24.335: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Left(config-if)#int s1/0
Left(config-if)#ip add 192.168.2.1 255.255.255.0
Left(config-if)#no shut
Left(config-if)#clock rate 6400
*Mar 1 00:01:46.635: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up0
*Mar 1 00:01:47.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
Left(config-if)#exit
Left(config)#router ospf 1
Left(config-router)#network 192.168.1.0 0.0.0.255 area 0
Left(config-router)#network 192.168.2.0 0.0.0.255 area 0
Left(config-router)#network 1.1.1.1 0.0.0.0 area 0
Left(config-router)#^Z
Left#
*Mar 1 00:02:35.275: %SYS-5-CONFIG_I: Configured from console by console
Smerovač Right
Router#ena
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host Right
Right(config)#int loo 0
Right(config-if)#ip add 1.1.1.2 255.255.255.255
*Mar 1 00:09:32.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
Right(config-if)#no shut
Right(config-if)#int fa 0/0
Right(config-if)#ip add 192.168.3.1 255.255.255.0
Right(config-if)#no shut
Right(config-if)#no keepalive
*Mar 1 00:10:20.447: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:10:21.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Right(config-if)#int s 1/0
Right(config-if)#ip add 192.168.2.2 255.255.255.0
Right(config-if)#no shut
Right(config-if)#exit*Mar 1 00:11:17.835: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Mar 1 00:11:18.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
Right(config)#router ospf 1
Right(config-router)#net 192.168.2.0 0.0.0.255 area 0
Right(config-router)#net 192.168.2.0 0.0.0.255 area 0
*Mar 1 00:11:34.699: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Serial1/0 from LOADING to FUnet 192.168.3.0 0.0.0.255 area 0
Right(config-router)#net 1.1.1.2 0.0.0.0 area 0
Right(config-router)#^Z
Right#
Overenie činnosti OSPF:
Smerovač Left
Smerovacia tabuľka
Left#sh ip route
….
Gateway of last resort is not set1.0.0.0/32 is subnetted, 2 subnets
C 1.1.1.1 is directly connected, Loopback0
O 1.1.1.2 [110/65] via 192.168.2.2, 00:08:24, Serial1/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, Serial1/0
O 192.168.3.0/24 [110/74] via 192.168.2.2, 00:08:24, Serial1/0
Susedia
Left#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.2 0 FULL/ – 00:00:30 192.168.2.2 Serial1/0
Smerovač Right
Smerovacie tab.
Right#sh ip route
….
Gateway of last resort is not set1.0.0.0/32 is subnetted, 2 subnets
O 1.1.1.1 [110/65] via 192.168.2.1, 00:04:50, Serial1/0
C 1.1.1.2 is directly connected, Loopback0
O 192.168.1.0/24 [110/74] via 192.168.2.1, 00:04:50, Serial1/0
C 192.168.2.0/24 is directly connected, Serial1/0
C 192.168.3.0/24 is directly connected, FastEthernet0/0
Susedia
Right#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 0 FULL/ – 00:00:31 192.168.2.1 Serial1/0
Konfigurácia MD5 autentifikácie
Zapnutie auth na Left
Left(config)#int s 1/0
! zapnutie MD5 auth na rozhrani s heslom hesloheslovate
Left(config-if)#ip ospf message-digest-key 1 md5 hesloheslovate
Left(config-if)#exit
Left(config)#router ospf 1! zapnutie MD5 auth v area 0
Left(config-router)#area 0 authentication message-digest
Left(config-router)#
*Mar 1 00:32:44.887: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.2 on Serial1/0 from FULL to DOWN, Neighbor Down: Dead timer expired
Vzhľadom na to, že ešte nebol nakonfigurovaný na autentifikáciu smerovač Right, môžeme pozorovať, že sa nám zmenila ADJACENCY medzi susedmi, čo nám sh ip ospf neigh aj potvrdí:
Left#sh ip ospf neighbor
Left#
Rovnako to potvrdí aj debug ip ospf adj
Left#debug ip ospf adj
OSPF adjacency events debugging is on
Left#
*Mar 1 00:16:55.955: OSPF: Rcv pkt from 192.168.2.2, Serial1/0 : Mismatch Authentication type. Input packet specified type 0, we use type 2
*Mar 1 00:16:59.775: OSPF: Send with youngest Key 0
*Mar 1 00:17:02.979: OSPF: Send with youngest Key 1
*Mar 1 00:17:05.951: OSPF: Rcv pkt from 192.168.2.2, Serial1/0 : Mismatch Authentication type. Input packet specified type 0, we use type 2
Teraz nakonfigurujeme auth na Right:
Right(config)#int s 1/0
Right(config-if)#ip ospf message-digest-key 1 md5 hesloheslovate
Right(config-if)#exit
Right(config)#router ospf 1
Right(config-router)#area 0 authentication message-digest
ADJ sa znovu obnovila:
*Mar 1 00:20:55.983: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.2 on Serial1/0 from LOADING to FULL, Loading Done
Left#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.2 0 FULL/ – 00:00:30 192.168.2.2 Serial1/0
Debug (Left#debug ip ospf adj) vypisuje stavy prechodu OSPF procesu až po full state, používané pri zakladaní ADJ a topo tabuľky.
*Mar 1 00:26:35.943: OSPF: Rcv pkt from 192.168.2.2, Serial1/0 : Mismatch Authentication type. Input packet specified type 0, we use type 2
*Mar 1 00:26:39.775: OSPF: Send with youngest Key 0
*Mar 1 00:26:43.015: OSPF: Send with youngest Key 1
*Mar 1 00:26:45.931: OSPF: Send with youngest Key 1
*Mar 1 00:26:45.947: OSPF: 2 Way Communication to 1.1.1.2 on Serial1/0, state 2WAY
*Mar 1 00:26:45.947: OSPF: Send DBD to 1.1.1.2 on Serial1/0 seq 0xAE9 opt 0x52 flag 0x7 len 32
*Mar 1 00:26:45.947: OSPF: Send with youngest Key 1
*Mar 1 00:26:45.947: OSPF: Rcv DBD from 1.1.1.2 on Serial1/0 seq 0xAFF opt 0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Mar 1 00:26:45.947: OSPF: NBR Negotiation Done. We are the SLAVE
*Mar 1 00:26:45.947: OSPF: Send DBD to 1.1.1.2 on Serial1/0 seq 0xAFF opt 0x52 flag 0x2 len 72
*Mar 1 00:26:45.947: OSPF: Send with youngest Key 1
*Mar 1 00:26:45.955: OSPF: Rcv DBD from 1.1.1.2 on Serial1/0 seq 0xB00 opt 0x52 flag 0x3 len 72 mtu 1500 state EXCHANGE
*Mar 1 00:26:45.955: OSPF: Send DBD to 1.1.1.2 on Serial1/0 seq 0xB00 opt 0x52 flag 0x0 len 32
*Mar 1 00:26:45.955: OSPF: Send with youngest Key 1
*Mar 1 00:26:45.963: OSPF: Rcv DBD from 1.1.1.2 on Serial1/0 seq 0xB01 opt 0x52 flag 0x1 len 32 mtu 1500 state EXCHANGE
*Mar 1 00:26:45.963: OSPF: Exchange Done with 1.1.1.2 on Serial1/0
*Mar 1 00:26:45.963: OSPF: Send LS REQ to 1.1.1.2 length 12 LSA count 1
*Mar 1 00:26:45.963: OSPF: Send with youngest Key 1
*Mar 1 00:26:45.963: OSPF: Send DBD to 1.1.1.2 on Serial1/0 seq 0xB01 opt 0x52 flag 0x0 len 32
*Mar 1 00:26:45.963: OSPF: Send with youngest Key 1
*Mar 1 00:26:45.963: OSPF: Rcv LS REQ from 1.1.1.2 on Serial1/0 length 36 LSA count 1
*Mar 1 00:26:45.963: OSPF: Send with youngest Key 1
*Mar 1 00:26:45.963: OSPF: Send UPD to 192.168.2.2 on Serial1/0 length 64 LSA count 1
*Mar 1 00:26:45.971: OSPF: Rcv LS UPD from 1.1.1.2 on Serial1/0 length 88 LSA count 1
*Mar 1 00:26:45.971: OSPF: Synchronized with 1.1.1.2 on Serial1/0, state FULL
*Mar 1 00:26:45.971: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.2 on Serial1/0 from LOADING to FULL, Loading Done
*Mar 1 00:26:46.463: OSPF: Rcv LS UPD from 1.1.1.2 on Serial1/0 length 100 LSA count 1
*Mar 1 00:26:46.471: OSPF: Send with youngest Key 1
*Mar 1 00:26:46.475: OSPF: Build router LSA for area 0, router ID 1.1.1.1, seq 0x80000008
*Mar 1 00:26:48.471: OSPF: Send with youngest Key 1
*Mar 1 00:26:49.775: OSPF: Send with youngest Key 0
*Mar 1 00:26:53.019: OSPF: Send with youngest Key 1
*Mar 1 00:26:59.775: OSPF: Send with youngest Key 0
Left#undebug all
Verifikácia MD5 autentifikácie:
Pomocou príkazov, už použitých.
sh ip opsf neighbor
sh ip route
debug ip ospf adj
Verifikácia cez Wireshark
Dynagen ponúka zaujímavú možnosť snifovať dátovú komunikáciu na danom rozhraní. Na potvrdenie použitia autentifikačných údajov spustíme snifovanie na rozhrani serial 1/0 smerovača Left (čo je v dyna topológií smerovač R1, komunikáciu odchytávam do súboru r1-s1.cap)
=> capture R1 s1/0 r1-s1.cap HDLC
Zastavenie odchytávania je vykonané:
=> no capture R1 s1/0
Odchytená komunikácia nám pekne ukáže heslo v textovej podobe:
Najpr obrázok s vypnutou auth.