Section 27.1.1.8, Example – Westermo RedFox Series User Manual

Westermo OS Management Guide

Version 4.17.0-0

Example

iface vlan110 inet static

...
... Skipping lines
...
address 192.168.15.1/24
ospf

no passive
end

end

router

ospf

router-id 192.168.15.1
passive-interface
network 192.168.15.0/24 area 0.0.0.0
network 192.168.33.0/24 area 0.0.0.0
end

end

27.1.1.8

OSPF security

If an ”external” OSPF router happens to connect to your network (maliciously or
by mistake) the routing inside your domain can be affected severely. E.g., if that
router injects a default route into the OSPF domain, all traffic supposed to go to
your Internet gateway may instead be routed towards this ”foreign” router.

To avoid that this happens, it is good practise to enable authentication of all OSPF
messages inside your network. WeOS provides to forms of authentication of OSPF
messages:

❼ Plain: Plain text authentication will protect against the situation when care-

less users attach an OSPF router to your network by mistake. However,
since the password is sent in plain text inside the OSPF messages, it does
not prohibit a deliberate attacker to inject routing information into your net-
work. Plain text secrets are text strings of 4-8 characters.

❼ MD5: With MD5 authentication each OSPF message will include a crypto-

graphic checksum, i.e., message authentication code (MAC), based on a se-
cret only known by the system administrator. MD5 secrets are text strings
of 4-16 characters.

Authentication of OSPF messages is configured per network interface, and is dis-
abled by default.

Use of MD5 authentication is recommended. When using MD5 authentication,

➞ 2015 Westermo Teleindustri AB

611