WALKTHROUGH: OSPF Authentication

Back to the OSPF Authentication Lab

So you're stuck or don't trust your work. Here is the cheat/check page. Note that this is all done from the perspective of J2300-1. Adapt to other routers as needed.

1. Configure authentication on your backbone interfaces according to the diagram

[edit]
admin@J2300-1# edit protocols ospf area 0.0.0.0 

[edit protocols ospf area 0.0.0.0]
admin@J2300-1# set interface fe-0/0/1.12 authentication simple-password SECURE                       

[edit protocols ospf area 0.0.0.0]
admin@J2300-1# set interface fe-0/0/1.13 authentication md5 5 key OSPFmd5KEY      

[edit protocols ospf area 0.0.0.0]
admin@J2300-1# commit 
commit complete

2. Check that you still have an OSPF neighbor on each of your interfaces

[edit protocols ospf area 0.0.0.0]
admin@J2300-1# run show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.0.12.2        fe-0/0/1.12            Full      10.0.0.2         128    34
10.0.13.3        fe-0/0/1.13            Full      10.0.0.3         128    31

[edit protocols ospf area 0.0.0.0]
admin@J2300-1# 

3. Bring up OSPF on fe-0/0/1 on your logical interface using VLAN 101 and establish an adjacency with router at the 10.101.0.10 IP address, the router admin says there is a password but he doesn't know what it is

To figure this one out, we are going to sniff the interface. We'll be able to see the authentication type, and if the simple type is used, we'll be able to see the password as well.

[edit]
admin@J2300-1# edit interfaces fe-0/0/1 unit 101 

[edit interfaces fe-0/0/1 unit 101]
admin@J2300-1# set vlan-id 101 

[edit interfaces fe-0/0/1 unit 101]
admin@J2300-1# set family inet address 10.101.0.1/24 

[edit interfaces fe-0/0/1 unit 101]
admin@J2300-1# commit 
commit complete

[edit interfaces fe-0/0/1 unit 101]
admin@J2300-1# run ping count 3 10.101.0.10 
PING 10.101.0.10 (10.101.0.10): 56 data bytes
64 bytes from 10.101.0.10: icmp_seq=0 ttl=64 time=0.841 ms
^C
--- 10.101.0.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.841/0.841/0.841/0.000 ms

[edit interfaces fe-0/0/1 unit 101]
admin@J2300-1# top 

[edit]
admin@J2300-1# edit protocols ospf area 101.101.101.101 

[edit protocols ospf area 101.101.101.101]
admin@J2300-1# set interface fe-0/0/1.101 

[edit protocols ospf area 101.101.101.101]
admin@J2300-1# commit 
commit complete

[edit protocols ospf area 101.101.101.101]
admin@J2300-1# monitor traffic interface fe-0/0/1 matching "ip host 10.101.0.10" no-resolve                
Address resolution is OFF.
Listening on fe-0/0/1, capture size 1514 bytes
10:32:48.271088  In IP (tos 0xc0, ttl   1, id 6543, offset 0, flags [none], proto: OSPF (89), length: 64) 10.101.0.10 > 224.0.0.5: OSPFv2, Hello, length 44
        Router-ID 10.10.10.10, Area 101.101.101.101, Authentication Type: simple (1)
        Simple text password: seekrit
        Options [External]
          Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128
          Designated Router 10.101.0.10
^C
33 packets received by filter
0 packets dropped by kernel

[edit protocols ospf]
admin@J2300-1# set area 101.101.101.101 interface fe-0/0/1.101 authentication simple-password seekrit     

[edit protocols ospf]
admin@J2300-1# commit 
commit complete
[edit protocols ospf]
admin@J2300-1# run show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.0.12.2        fe-0/0/1.12            Full      10.0.0.2         128    38
10.0.13.3        fe-0/0/1.13            Full      10.0.0.3         128    38
10.101.0.10      fe-0/0/1.101           Full      10.10.10.10      128    36

[edit protocols ospf]
admin@J2300-1# 

4. There is an OSPF router in area 102.102.102.102 attached to VLAN 102 configure your fe-0/0/1 interface with a logical interface on VLAN 102 using IP address 10.102.0./24

[edit protocols ospf]
admin@J2300-1# top 

[edit]
admin@J2300-1# edit interfaces fe-0/0/1 unit 102 

[edit interfaces fe-0/0/1 unit 102]
admin@J2300-1# set vlan-id 102 

[edit interfaces fe-0/0/1 unit 102]
admin@J2300-1# set family inet address 10.102.0.1/24 

[edit interfaces fe-0/0/1 unit 102]
admin@J2300-1# commit 
commit complete

[edit interfaces fe-0/0/1 unit 102]
admin@J2300-1# run ping 10.102.0.10 count 3 
PING 10.102.0.10 (10.102.0.10): 56 data bytes
64 bytes from 10.102.0.10: icmp_seq=0 ttl=64 time=1.593 ms
64 bytes from 10.102.0.10: icmp_seq=1 ttl=64 time=1.576 ms
64 bytes from 10.102.0.10: icmp_seq=2 ttl=64 time=1.605 ms

--- 10.102.0.10 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.576/1.591/1.605/0.012 ms

[edit interfaces fe-0/0/1 unit 102]
admin@J2300-1# 

5. Bring up OSPF on fe-0/0/1 on your logical interface using VLAN 101 and establish an adjacency with router at the 10.102.0.10 IP address. The interface has some sort of OSPF password on the interface of IamTheGreatest

Here we'll take a guess that MD5 authentication is being used. Then sniff the interface to garner the rest of the properties needed.

[edit interfaces fe-0/0/1 unit 102]
admin@J2300-1# top 

[edit]
admin@J2300-1# edit protocols ospf area 102.102.102.102 

[edit protocols ospf area 102.102.102.102]
admin@J2300-1# set interface fe-0/0/1.102 

[edit protocols ospf area 102.102.102.102]
admin@J2300-1# commit 
commit complete

[edit protocols ospf area 102.102.102.102]
admin@J2300-1#  run monitor start ospf.log 

[edit protocols ospf area 102.102.102.102]
admin@J2300-1# 
*** ospf.log ***
Aug 26 10:43:24.906244 OSPF packet ignored: authentication type mismatch (2) from 10.102.0.10
run monitor stop 

[edit protocols ospf area 102.102.102.102]
admin@J2300-1# edit interface fe-0/0/1.102 
admin@J2300-1# set authentication md5 0 key IamTheGreatest

[edit protocols ospf area 102.102.102.102 interface fe-0/0/1.102]
admin@J2300-1# commit 
commit complete

[edit protocols ospf area 102.102.102.102 interface fe-0/0/1.102]
admin@J2300-1# run monitor start ospf.log 
[edit protocols ospf area 102.102.102.102 interface fe-0/0/1.102]
admin@J2300-1# 
*** ospf.log ***
Aug 26 10:45:10.687329 OSPF packet ignored: authentication failure (missing key-id).
Aug 26 10:45:10.687709 OSPF packet ignored: authentication failure from 10.102.0.10
run monitor stop 

[edit protocols ospf area 102.102.102.102 interface fe-0/0/1.102]
admin@J2300-1# run monitor traffic interface fe-0/0/1 detail matching "host 10.102.0.10"    
Address resolution is ON. Use  to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on fe-0/0/1, capture size 1514 bytes

Reverse lookup for 224.0.0.5 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use  to avoid reverse lookups on IP addresses.

10:45:43.744958  In IP (tos 0xc0, ttl   1, id 6853, offset 0, flags [none], proto: OSPF (89), length: 68) 10.101.0.10 > 224.0.0.5: OSPFv2, Hello, length 48
        Router-ID 10.10.10.10, Area 101.101.101.101, Authentication Type: simple (1)
        Simple text password: seekrit
        Options [External]
          Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128
          Designated Router 10.101.0.10, Backup Designated Router 10.101.0.1
          Neighbor List:
            10.0.0.1
10:45:43.810742  In IP (tos 0xc0, ttl   1, id 6854, offset 0, flags [none], proto: OSPF (89), length: 80) 10.102.0.10 > 224.0.0.5: OSPFv2, Hello, length 44
        Router-ID 10.10.10.10, Area 102.102.102.102, Authentication Type: MD5 (2)
        Key-ID: 88, Auth-Length: 16, Crypto Sequence Number: 0x4e577957
        Options [External]
          Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128
          Designated Router 10.102.0.10
10:45:43.874705 Out IP (tos 0xc0, ttl   1, id 9045, offset 0, flags [none], proto: OSPF (89), length: 80) 10.102.0.1 > 224.0.0.5: OSPFv2, Hello, length 44
        Router-ID 10.0.0.1, Area 102.102.102.102, Authentication Type: MD5 (2)
        Key-ID: 0, Auth-Length: 16, Crypto Sequence Number: 0x4e577958
        Options [External]
          Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128
          Designated Router 10.102.0.1
^C
23 packets received by filter
0 packets dropped by kernel

[edit protocols ospf area 102.102.102.102 interface fe-0/0/1.102]
admin@J2300-1# set authentication md5 88 key IamTheGreatest 

[edit protocols ospf area 102.102.102.102 interface fe-0/0/1.102]
admin@J2300-1# commit 
commit complete

[edit protocols ospf area 102.102.102.102 interface fe-0/0/1.102]
admin@J2300-1# run show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.0.12.2        fe-0/0/1.12            Full      10.0.0.2         128    37
10.0.13.3        fe-0/0/1.13            Full      10.0.0.3         128    33
10.101.0.10      fe-0/0/1.101           Full      10.10.10.10      128    34
10.102.0.10      fe-0/0/1.102           Full      10.10.10.10      128    33

[edit protocols ospf area 102.102.102.102 interface fe-0/0/1.102]
admin@J2300-1# 

Back to the OSPF Authentication Lab

---

Last page update 6 December 2012

OSPF Deep Dive by Blackhole Networks is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Concerning comments and/or errors, please contact OSPF