4.3.2 Ensure OSPF authentication is set to IPSEC SA with SHA

Information

OSPF Neighbors should be strongly authenticated.

Rationale:

Where it is deployed, OSPF routing is vital for normal operation of an organization's network infrastructure. Correct route information is required for routers to correctly direct traffic through the network.

An attacker posing as one of the target routers OSPF neighbors may inject incorrect information into the route table resulting in DoS attack or loss of confidential data through a Man in the Middle attack.

In addition to MD5 hash based authentication, JUNOS routers can also authenticate OSPF neighbors using IPSEC Security Associations. This allows more robust authentication mechanisms to be used and is recommended as an alternative to MD5 HMAC in high security environments. Support for IPSEC based authentication with other vendors is not universal, so ensure all of your devices are able to support this method before proceeding.

A Manual IPSEC Security Association is formed between neighbors, using Authenticated Header (IP Protocol 51) with the stronger HMAC-SHA1 or HMAC-SHA2 (SHA2 is not available on all platforms) methods to ensure that the updates were sent by trusted neighbors and were not changed in transit. Only AH is used to avoid the added overhead required to encrypt and decrypt the packets contents which ESP would entail. It is possible to use ESP in place of AH if encryption of routing information across an untrusted segment is required, but this can have a significant performance cost.

In 'dual stack' IPv4/IPv6 environments running both OSPFv2 for IPv4 routing and OSPFv3 for IPv6, it is common to use a single SA on a segment to provide authentication both protocols.

NOTE - Although M, T and MX series devices normally require a Services PIC or DPC installed to provide IPSEC VPNs, no additional hardware is required for IPSEC SA based authentication of OSPF neighbors.

NOTE: OSPF does not appear to be configured on the target. This check is not applicable.

Solution

To setup IPSEC SA based authentication, first configure a Security Association at the [edit security ipsec] hierarchy;

[edit security ipsec]
edit security-association <SA name>
set description <description>
set mode transport
set manual direction bidirectional protocol ah
set manual direction bidirectional algorithm hmac-sha1-96
set manual direction bidirectional authentication key <key>

The SA must be bi-directional and must be configured with the same parameters on all neighbors reachable on the intended interface.
Note that only Authenticated Header is configured in this example which provides mutual authentication but does not encrypt OSPF protocol messages in transit.
Next configure IPSEC SA based authentication for one or more interfaces which OSPF will be run over from the [edit protocols ospf] hierarchy;

[edit protocols ospf]
user@host#set area <area number> interface <interface number> ipsec-sa <SA name>

Default Value:

No OSPF routing is configured by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: c0acc16b12a64011a1db9155dbae95cfb9ce7cd889a28e7d7d25cfe5c5cdfe22