Menu Zavrieť

Konfigurácia a overenie plain text OSPF autentifikácie

V tomto článku rozoberieme plain text OSPF autentifikáciu a jej overenie na smerovačoch Cisco. Simulácia bude vykonaná v nástroji Dynamips/Dynagen .

Spôsoby autentifikácie

Na Cisco  smerovačoch sú podporované dve metódy autentifikácie SOPF smerovačov

  1. Plain text
  2. MD5

Pri konfigurácii autentifikácie musí celá area používať rovnaký typ autentifikácie. Heslá musia byť zhodné na per interface báze medzi susedmi

Topológia

Použitá bude následujúca topológia, OSPF area 0. Smerovače majú vykonanú len základnú konfiguráciu (IP adresy, mená, OSPF routing). Oba smerovače budú mať loopback na zabezpčenie stability OSPF.

 

|—-FA0/0-(192.168.1.0/24)—-|Left|—-s1/0—-(192.168.2.0/24)—-s1/0—-|Right|—-Fa0/0-(192.168.3.0/24)—-|

 

Dynagen konfig

# Hypervisor: 30000 – 30999
# UDP: 30000
# Konzoly: 3000 – 3099

autostart = False
ghostios = True
sparsemem = True

[localhost:30000]

workingdir = /home/segi/Topo2/Work
udp = 30000

[[2691]]
ram = 128
image = /Topologies/IOSes/c2691-advipservicesk9-mz.124-12.bin.unp
slot1 = NM-4T
confreg = 0x2142

[[ROUTER R1]]
model = 2691
s1/0 = R2 s1/0
console = 3001

[[ROUTER R2]]
model = 2691
console = 3002

 Základná konfigurácia smerovačov

Smerovač Left

Router>ena
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host Left
Left(config)#int loo 0
*Mar 1 00:00:46.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
Left(config-if)#ip add 1.1.1.1 255.255.255.255
Left(config-if)#no shut
Left(config-if)#int fa 0/0
Left(config-if)#ip add 192.168.1.1 255.255.255.0
Left(config-if)#no shut
Left(config-if)#no keepalive

*Mar 1 00:01:23.335: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:01:24.335: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Left(config-if)#int s1/0
Left(config-if)#ip add 192.168.2.1 255.255.255.0
Left(config-if)#no shut
Left(config-if)#clock rate 6400

*Mar 1 00:01:46.635: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up0
*Mar 1 00:01:47.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
Left(config-if)#exit
Left(config)#router ospf 1
Left(config-router)#network 192.168.1.0 0.0.0.255 area 0
Left(config-router)#network 192.168.2.0 0.0.0.255 area 0
Left(config-router)#network 1.1.1.1 0.0.0.0 area 0

Left(config-router)#^Z
Left#
*Mar 1 00:02:35.275: %SYS-5-CONFIG_I: Configured from console by console

 Smerovač Right

Router#ena
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host Right
Right(config)#int loo 0
Right(config-if)#ip add 1.1.1.2 255.255.255.255

*Mar 1 00:09:32.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
Right(config-if)#no shut
Right(config-if)#int fa 0/0
Right(config-if)#ip add 192.168.3.1 255.255.255.0

Right(config-if)#no shut
Right(config-if)#no keepalive
*Mar 1 00:10:20.447: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:10:21.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Right(config-if)#int s 1/0
Right(config-if)#ip add 192.168.2.2 255.255.255.0

Right(config-if)#no shut
Right(config-if)#exit

*Mar 1 00:11:17.835: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Mar 1 00:11:18.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
Right(config)#router ospf 1
Right(config-router)#net 192.168.2.0 0.0.0.255 area 0
Right(config-router)#net 192.168.2.0 0.0.0.255 area 0

*Mar 1 00:11:34.699: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Serial1/0 from LOADING to FUnet 192.168.3.0 0.0.0.255 area 0
Right(config-router)#net 1.1.1.2 0.0.0.0 area 0
Right(config-router)#^Z
Right#

 

Overenie činnosti OSPF:

Smerovač Left

Smerovacia tabuľka

Left#sh ip route
….
Gateway of last resort is not set

  1.0.0.0/32 is subnetted, 2 subnets
C   1.1.1.1 is directly connected, Loopback0
O   1.1.1.2 [110/65] via 192.168.2.2, 00:08:24, Serial1/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, Serial1/0
O 192.168.3.0/24 [110/74] via 192.168.2.2, 00:08:24, Serial1/0

Susedia

Left#sh ip ospf neighbor

Neighbor ID  Pri  State   Dead Time   Address       Interface
1.1.1.2      0   
FULL/ – 00:00:30    192.168.2.2  Serial1/0

Smerovač Right

Smerovacie tab.

Right#sh ip route
….
Gateway of last resort is not set

  1.0.0.0/32 is subnetted, 2 subnets
O   1.1.1.1 [110/65] via 192.168.2.1, 00:04:50, Serial1/0
C   1.1.1.2 is directly connected, Loopback0
O 192.168.1.0/24 [110/74] via 192.168.2.1, 00:04:50, Serial1/0
C 192.168.2.0/24 is directly connected, Serial1/0
C 192.168.3.0/24 is directly connected, FastEthernet0/0

 Susedia

Right#sh ip ospf neighbor

Neighbor ID Pri State   Dead Time   Address    Interface
1.1.1.1      0  FULL/ – 00:00:31    192.168.2.1 Serial1/0

Konfigurácia plain text autentifikácie

Zapnutie auth na Left

Left(config)#int s 1/0

! zapnutie plain text auth na rozhrani s heslom cisco

Left(config-if)#ip ospf authentication-key cisco

Left(config-if)#exit
Left(config)#router ospf 1

! zapnutie plain text auth v area 0 

Left(config-router)#area 0 authentication
Left(config-router)#
*Mar 1 00:32:44.887: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.2 on Serial1/0 from FULL to DOWN, Neighbor Down: Dead timer expired

 

Vzhľadom na to, že ešte nebol nakonfigurovaný na autentifikáciu smerovač Right, môžeme pozorovať, že sa nám zmenila ADJACENCY medzi susedmi, čo nám sh ip ospf neigh aj potvrdí:

Left#sh ip ospf neighbor

Left#

Rovnako to potvrdí aj debug ip ospf adj

Left#debug ip ospf adj
OSPF adjacency events debugging is on
Left#
*Mar 1 00:48:24.911: OSPF: Rcv pkt from 192.168.2.2, Serial1/0 : Mismatch Authentication type. Input packet specified type 0, we use type 1
*Mar 1 00:48:34.891: OSPF: Rcv pkt from 192.168.2.2, Serial1/0 : Mismatch Authentication type. Input packet specified type 0, we use type 1

 Teraz nakonfigurujeme auth na Right:

Right(config)#int s 1/0
Right(config-if)#ip ospf authentication-key cisco
Right(config-if)#exit
Right(config)#router ospf 1
Right(config-router)#area 0 authentication

 ADJ sa znovu obnovila:

*Mar 1 00:38:03.491: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Serial1/0 from LOADING to FULL, Loading Done

Right#sh ip ospf neighbor

Neighbor ID Pri State   Dead Time  Address     Interface
1.1.1.1     0   FULL/ – 00:00:30   192.168.2.1 Serial1/0
Right#

 

Debug vypisuje stavy prechodu OSPF procesu až po full state, používané pri zakladaní ADJ a topo tabuľky.

*Mar 1 00:49:43.687: OSPF: 2 Way Communication to 1.1.1.2 on Serial1/0, state 2WAY
*Mar 1 00:49:43.687: OSPF: Send DBD to 1.1.1.2 on Serial1/0 seq 0xFE8 opt 0x52 flag 0x7 len 32
*Mar 1 00:49:43.695: OSPF: Rcv DBD from 1.1.1.2 on Serial1/0 seq 0x202E opt 0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Mar 1 00:49:43.695: OSPF: NBR Negotiation Done. We are the SLAVE
*Mar 1 00:49:43.695: OSPF: Send DBD to 1.1.1.2 on Serial1/0 seq 0x202E opt 0x52 flag 0x2 len 72
*Mar 1 00:49:43.703: OSPF: Rcv DBD from 1.1.1.2 on Serial1/0 seq 0x202F opt 0x52 flag 0x3 len 72 mtu 1500 state EXCHANGE
*Mar 1 00:49:43.703: OSPF: Send DBD to 1.1.1.2 on Serial1/0 seq 0x202F opt 0x52 flag 0x0 len 32
*Mar 1 00:49:43.711: OSPF: Rcv DBD from 1.1.1.2 on Serial1/0 seq 0x2030 opt 0x52 flag 0x1 len 32 mtu 1500 state EXCHANGE
*Mar 1 00:49:43.711: OSPF: Exchange Done with 1.1.1.2 on Serial1/0
*Mar 1 00:49:43.711: OSPF: Send LS REQ to 1.1.1.2 length 12 LSA count 1
*Mar 1 00:49:43.711: OSPF: Send DBD to 1.1.1.2 on Serial1/0 seq 0x2030 opt 0x52 flag 0x0 len 32
*Mar 1 00:49:43.711: OSPF: Rcv LS REQ from 1.1.1.2 on Serial1/0 length 36 LSA count 1
*Mar 1 00:49:43.711: OSPF: Send UPD to 192.168.2.2 on Serial1/0 length 64 LSA count 1
*Mar 1 00:49:43.719: OSPF: Rcv LS UPD from 1.1.1.2 on Serial1/0 length 88 LSA count 1
*Mar 1 00:49:43.719: OSPF: Synchronized with 1.1.1.2 on Serial1/0, state FULL
*Mar 1 00:49:43.719: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.2 on Serial1/0 from LOADING to FULL, Loading Done
*Mar 1 00:49:44.211: OSPF: Rcv LS UPD from 1.1.1.2 on Serial1/0 length 100 LSA count 1
*Mar 1 00:49:44.219: OSPF: Build router LSA for area 0, router ID 1.1.1.1, seq 0x8000000A

 

 Verifikácia plain text autentifikácie:

Pomocou príkazov, už použitých.

sh ip opsf neighbor

sh ip route

debug ip ospf adj

Verifikácia cez Wireshark

Dynagen ponúka zaujímavú možnosť snifovať dátovú komunikáciu na danom rozhraní. Na potvrdenie použitia autentifikačných údajov spustíme snifovanie na rozhrani serial 1/0 smerovača Left (čo je v dyna topológií smerovač R1, komunikáciu odchytávam do súboru r1-s1.cap)

 => capture R1 s1/0 r1-s1.cap HDLC

Zastavenie odchytávania je vykonané:

 => no capture R1 s1/0

Odchytená komunikácia nám pekne ukáže heslo v textovej podobe:

 Najpr obrázok s vypnutou auth.

a odchytený OSPF paket so zapnutou plain text autentifikáciou. Je možné pekne vidieť heslo, tu použite "cisco".

Rate this post

Pridaj komentár

Vaša e-mailová adresa nebude zverejnená. Vyžadované polia sú označené *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.