No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - IP Routing 01

This is NE40E V800R010C10SPC500 Configuration Guide - IP Routing
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Improving OSPF Network Security

Improving OSPF Network Security

On a network demanding high security, you can configure OSPF authentication and GTSM to improve OSPF network security.

Usage Scenario

With the increase in attacks on TCP/IP networks and the defects in the TCP/IP protocol suite, network attacks have increasing impacts on the network security. Attacks on network devices may lead to network crash. By configuring GTSM and authentication, you can improve OSPF network security.

OSPF authentication encrypts OSPF packets by adding the authentication field to packets to ensure network security. When a local device receives OSPF packets from a remote device, the local device discards the packets if the authentication passwords carried in these packets do not match the local one, which protects the local device from potential attacks.

In terms of the packet type, the authentication is classified as follows:

  • Area authentication

    Area authentication is configured in the OSPF area view and applies to packets received by all interfaces in the OSPF area.

  • Interface authentication

    Interface authentication is configured in the interface view and applies to all packets received by the interface.

The NE40E supports the following authentication modes:
  • Simple authentication
  • MD5 authentication
  • HMAC-MD5 authentication
  • Keychain authentication
NOTE:

The NE40E supports OSPF GTSM. For detailed configuration of OSPF GTSM, refer to the HUAWEI NetEngine40E Configuration Guide - Security

Pre-configuration Tasks

Before improving OSPF network security, complete the following tasks:

  • Configure a link layer protocol.

  • Configure IP addresses for interfaces to ensure that neighboring nodes are reachable at the network layer.

  • Configure basic OSPF functions.

  • Configure a keychain

Configuration Procedures

Perform one or more of the following configurations as required.

Configuring Area Authentication

OSPF supports packet authentication. Only the packets that are authenticated can be accepted. If packets fail to be authenticated, the neighbor relationship cannot be established.

Context

NOTE:
By default, authentication is not configured for OSPF area. Configuring authentication is recommended to ensure system security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ospf [ process-id ]

    The OSPF process view is displayed.

  3. Run area area-id

    The OSPF area view is displayed.

  4. Run any of the following commands to configure the authentication mode for the OSPF area as required:

    • Run authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ]

      Simple authentication is configured for the OSPF area.

      • plain indicates the plain-text password.
      • cipher indicates the cipher-text password. For MD5, HMAC-MD5 or HMAC-SHA256 authentication, ciphertext passwords are used by default.

      When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simpletext if you select simpletext mode, which has a high risk. To ensure device security, change the password periodically.

    • Run authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]

      Cipher-text authentication is configured for the OSPF area.

      • md5 indicates the MD5 cipher-text authentication mode.
      • hmac-md5 indicates the HMAC-MD5 cipher-text authentication mode.
      • hmac-sha256 indicates the HMAC-SHA256 cipher-text authentication mode.
      NOTE:

      For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 and HMAC-MD5 algorithm is recommended.

    • Run authentication-mode keychain keychain-name

      The Keychain authentication is configured for the OSPF area.

      NOTE:

      Before using the Keychain authentication, you must run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, the OSPF authentication will fail.

  5. Run commit

    The configuration is committed.

Configuring Interface Authentication

Interface authentication is used among neighboring routers to set the authentication mode and password. Interface authentication takes precedence over area authentication.

Context

NOTE:
By default, authentication is not configured for OSPF interface. Configuring authentication is recommended to ensure system security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The OSPF interface view is displayed.

  3. Run any of the following commands to configure interface authentication as required:

    • Run ospf authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ]

      Simple authentication is configured for the OSPF interface.

      • simple indicates simple authentication.
      • plain indicates the password in simpletext. For simple authentication, cipher-text passwords are used by default.
      • cipher indicates the cipher-text password. For MD5, HMAC-MD5 or HMAC-SHA256 authentication, cipher-text passwords are used by default.

      When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simpletext if you select simpletext mode, which has a high risk. To ensure device security, change the password periodically.

    • Run ospf authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]

      Cipher-text authentication is configured for the OSPF interface.

      • md5 indicates the MD5 cipher-text authentication mode.
      • hmac-md5 indicates the HMAC-MD5 cipher-text authentication mode.
      • hmac-sha256 indicates the HMAC-SHA256 cipher-text authentication mode.
      NOTE:

      For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 and HMAC-MD5 algorithm is recommended.

    • Run ospf authentication-mode keychain keychain-name

      The Keychain authentication is configured for the OSPF interface.

      NOTE:

      Before using the Keychain authentication, you must run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, the OSPF authentication will fail.

    • Run ospf authentication-mode null

      The OSPF interface does not perform authentication.

  4. Run commit

    The configuration is committed.

Verifying the Configuration of OSPF Network Security

After configuring OSPF functions to improve OSPF network security, check the configuration.

Prerequisites

OSPF functions have been configured to improve OSPF network security.

Procedure

  • Run the display this command to view the configurations of the system in the current view.

Example

Run the display this command to view the configurations of the system in the current view.

<HUAWEI> system-view
[~HUAWEI] display this
#
interface GigabitEthernet1/0/0
 ospf authentication-mode simple
#
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055018

Views: 56384

Downloads: 211

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next