OSPF Authentication

• per-interface basis
• every ospf packet keyed with password
  

Authentication types:

• null (no authentication)(type 0)
  
• plaintext
• MD5

Authentication is enabled per interface.

Plaintext

Router(config-if)# ip ospf authentication-key 
Router(config-if)# ip ospf authentication

MD5

Router(config-if)# ip ospf message-digest-key  md5 
Router(config-if)# ip ospf authentication message-digest

OSPF Area types

Area Types

• Standard area
• Stub area - Will not accept external routes (type 5 LSAs); type 5 LSAs are replaced by a default route
• Totally stubby area - Will not accept LSAs of type 3, 4, or 5; routes are replaced by the ABR with a default route; Cisco proprietary. Полный аналог static default route
• Not-so-stubby area (NSSA) - Stub areas which contain one or more ASBRs; ASBRs in a NSSA generate type 7 LSAs which are then converted to type 5 by the ABR

The greatest advantage of designating stub areas is decreased convergence time.

Stub & Totally stub areas

Not-So-Stubby-Area

area stub

Areas are designated as stubs when the chosen exit ABR is unimportant (or there is only one).

Router(config-router)# area [id]  stub

All routers within a stub area must be configured as such. A stub router will not form an adjacency with a non-stub router in the same area.

area stub no-summary

no-summary further limits a stub area by creating a totally subby area. Totally stubby areas do not receive type 3 or 5 LSAs from other areas.

Router(config-router)# area [id]  stub no-summary

Only ABRs need to be configured with no-summary appended to the stub command. Остальные роутеры в area могут быть просто с флагом stub.

To direct packets outside the stub area, routers rely on a default route advertised by the ABR(s).

The concept of totally stubby areas is Cisco proprietary.

area default-cost

Not-So-Stubby area configuration:
Router(config-router)# area [id] nssa

Used to define the cost of the default route injected by an ABR into a stub area. The default is (cost to the ABR + 1).

This can be used to prefer one stub exit over others.

Router(config-router)# area  default-cost 

Configuration is done only on the ABR.

OSPF Virtual links

Virtual links - позволяют обойти правило дизайна OSPF area, которое гласит что все area должны быть напрямую соединены с area 0

Такой дизайн - не самая лучшая идея. Рекомендуется применять virtual links только в крайнем случае, как временное решение.
Virtual links - фактически туннелирование в area 0. Может быть реализовано с помощью туннельных интерфейсов.
Virtual links cannot use a stub area for transit.

Router(config-router)#area [id] virtual-link [router id] 

В нашем случае :
R3(config-router)#area 1 virtual-link 2.2.2.2
Virtual link должен быть сконфигурен с обоих сторон
R2(config-router)#area 1 virtual-link 3.3.3.3
При этом не важно, сколько роутеров между двумя конечными ABR.
sh ip ospf neighbors при этом выглядят также как и без использования VL.

sh ip ospf virtual-links

OSPF LSA types

Link-State Advertisements

• Router link (type 1) - Lists a router's neighbors and its cost to each; flooded throughout the area. Используется в пределах area
• Network link (type 2) - Advertisement by the DR containing all routers on the segment it is adjacent to; flooded throughout the area
• Network summary link (type 3) - ABRs generate this type of LSA to send between areas; it lists all prefixes available in an are.Используется для анонсов из одной area в другую.
  
• AS external ASBR summary link (type 4) - Router link LSA for ASBRs. Анонс IP ASBR.
• External link (type 5) - Originated by an ASBR, contains a route external to OSPF
• NSSA external (type 7) - Equivalent to a type 5 LSA, but generated by an ASBR in a not-so-stubby area (NSSA); converted to a type 5 by the ABR

OSPF summarization

Summarization

• Inter-area summarization - Performed at the ABR; creates type 3 LSAs. Type 4 LSAs advertise ASBRs.
• External summarization - Performed at the ASBR; creates type 5 LSAs.

1)ABR summarization

Used on an ABR to summarize multiple networks into a single type 3 LSA.

Router(config-router)# area  range  

В нашем случае (см. картинку)
(config-router)# area 1 range 192.168.0.0 255.255.0.0 - указываем area ИЗ которой будет анонсироваться  summary route !

Summary address указывает на Null0 интерфейс - loop prevention mechanism.
В случае, если трафик придет на summary address, но не предназначен ни одной из сетей, входящих в summary,
он дропается на Null0 интерфейсе.


2)ASBR summarization

При суммировании маршрутов приходящих из другой AS используется другая команда.
Так как в другой AS может не использоваться area (например redistribution из RIP),то используется просто summary-address

Router(config-router)# summary-address address mask [no-advertise] [tag]

В нашем случае

Router(config-router)# summary-address 172.16.0.0 255.255.0.0

OSPF Areas

Router Types

Internal router - all ints in the same area
Backbone - at least one int in area 0
ABR - at least 2 int in different area
ABRS - AS boundary

OSPF network types

I. Broadcast networks
-single operation mode
-10 s hello, 40 s dead timers
- DR/BDR election
- dual multicast

II. Point-to-point network
-single operation mode
-10 s hello, 40 s dead
-no DR/BDR
-single multicast

III. NBMA network
- 5 operation modes: 2 RFC, 3 Cisco


3.1 NBMA modes

1) Non-Broadcast mode (RFC)
Acts like LAN env -- так как все роутеры в одной подсети, процесс предполагает, что все они имеют connectivity, но на самом деле этом может быть не так. Необходимао настраивать, например настраивать frame-relay maps, чтобы R2 видел R3 через R4, хотя в таблице маршрутизации все может быть ОК.

Могут быть задержки в установлении neighbour relationship
Neighbors должны быть статически сконфигурены на роутере, который выступает в качестве DR/BDR. На остальных - необязательно.

Роутер, который будет выступать в качестве DR/BDR должен иметь высший приоритет.
Или остальные - низший.

DR priorities should be specified to ensure only candidates positioned well in the topology are elected DR and BDR.

Router(config-if)# neighbor  [priority ] [poll-interval ]
[cost ]

• priority - This can be used to specify a higher priority than what has been configured on the neighbor (but not lower)
• poll interval - The rate at which hellos are sent to inactive neighbors (default 120 seconds)
• cost - Cost to reach the neighbor

Лучше будет настроить приоритет на обоих сторонах
На соответсвующем интерфейсе соседа (DROTHER)
(config-if)# ip ospf priority 0

2) Point-to-multipoint (RFC)
treats all links almost as p2p links.
!! Cloud & routers must allow broadcast accross links !!
Не нужно дополнительно прописывать никакие frame-relay maps.

3) Point-to-multipoint non-broadcast (Cisco)

То же, что и p2mp но позволяет реализовать без broadcast. Но при этом neighbors приходится конфигурить статично вручную.

4) Broadcast (Cisco)


Full emulation of broadcast env in NBMA network. Full mesh required. Single subnet required

5) Point-to-point (Cisco)
Full emulation of p2p env. Each DLCI acts as p2p link.
1) needs subinf to be configured
2) needs different subnets

Maybe the best mode for NBMA. Меньше всего проблемы, наиболее детерминированное поведение.

NBMA	Point-to-multipoint broadcast	Point-to-multipoint nonbroadcast	Broadcast	Point-to-point
DR/BDR	Yes	No	No	Yes	No
Identify neighbor?	Yes	No	Yes	No	No
Hello/dead timers	30/120	30/120	30/120	10/40	10/40
Standard	RFC	RFC	Cisco	Cisco	Cisco
Network supported	Full mesh	Any	Any	Full mesh	Point-to-point

Implementing & verification OSPF

Configuring OSPF in a Single Area

Necessary information:

• OSPF process ID (locally significant)
• Participating interfaces
• Area ID
• Router ID

Enable OSPF

Router(config)# router ospf 

Configure Included Networks

Router(config-router)# network   area

A single interface can be specified by supplying its IP address and a null wildcard mask:

network 192.168.0.1 0.0.0.0 area 0

Router ID

If no router ID has been administratively declared, a router will choose the highest loopback IP address. If no loopback addresses are present, the highest IP address of the first active interface will be used.

A router ID can be manually specified:

Router(config-router)# router-id 

Best practice dictates the creation of a loopback address to be used as the router ID for stability and continuity:

Router(config)# interface loopback 0
Router(config-if)# ip address  

Default Cost

Link cost is a 16-bit value (0-65535); default cost is calculated as 100Mbps/interface bandwidth. (Interfaces 100Mbps and faster are assigned a cost of 1.)

OSPF cost can be manually specified per interface:

Router(config-if)# ip ospf cost 

An alternative to defining static costs per interface is to change the numerator bandwidth (default 100Mbps):

Router(config-router)# ospf auto-cost reference-bandwidth 

Reference speed is a 32-bit value (1 - 4294967). If reference speed is modified, the same modification should be performed on all routers within the area.

Router Priority

Default DR election priority is 1, and a router with a priority of 0 will not become a DR. Priority range is 0 - 255.

Router(config-if)# ip ospf priority 

Verifying OSPF Configuration

• show ip ospf - OSPF process details

• show ip ospf database - Contents of the topology database

• show ip ospf interface - Interfaces participating in OSPF

• show ip ospf neighbor - Neighbor information

• show ip protocols - Displays all active routing protocols

• show ip route

• debug ip ospf events

• debug ip packet

!! В дебаге роутер определяется router-id !!



# clear ip ospf process

OSPF basics

All OSPF routers in an area share the same Link State Database (LSDB).

All areas must be connected to backbone area 0 ( исключение - использование virtual link - только если нет другого выхода). OSPF requires hierachical design

hello broadcast/p2p - 10 s
NBMA - 30 s

dead timer - 4 x hello

OSPF tables:

• Neighbor table
• Topology database
• Routing table

multicast 224.0.0.5 -DR_other, common
224.0.0.6 - DR, BDR in broadcast env

cost = 100 / bandwidth_in_mbs

DR & BDR has to be elected in every shared segment


DR, BDR election
1) priority
2) highest router-id

HELLO packet

• Router ID - 32-bit unique number (IP address)
• Hello/dead intervals - Timers
• Neighbor list - List of neighboring router IDs
• Area ID
• Priority - Used in electing the DR and BDR
• DR and BDR
• Authentication (if enabled)
• Stub Area Flag - On if this is a stub area

Neighbor relationship

1. Determine Router ID

1) router id hard-coded (best practice)
2) highest loobback int (lo int can be pingable)
3) highest physical int (only active int participate)

! router ID changes only after reboot or ospf process reload !

2. Add interfaces to LSBD (dictated by network command)

3. Send HELLO on choosen interfaces (**DOWN state**)

HELLO contains:
1) Router ID
2) Hello & dead timers *
3) Network mask *
4) Area id *
5) Neighbors
6) Router priority
7) DR/ BDR ip address
8) Authentication password *
9) Stub flag *

* - must match

4. Receive HELLO (**INIT** state)
Check * to match. If conditions do not match you'll see cycling from **DOWN** to **INIT**

5. Send HELLO reply (** 2-way state**)
Router checks if it listed as neighbor in the received hello:
If yes ----> just reset dead timers, neighbor relationship have been already established earlier
If no -----> adds as new neighbor

6. Master - Slave determine ( **Exstart state ** )

determined by priority; router-id breaks the tie
Master send DBD first.
DBD = Database Desciption ("cliff notes" - заметки на полях - краткое описание topology DB)


7. DBD are acknowleged and received (**Loading state**)

Router просматривает DBD и если находит там сети, о которых он не знает, он запрашивает подробную инфу об этих сетках через Link-State Request (LSR). В ответ приходит Link-State Updates (LSU) c запрошеной инфой. LSU - своего рода контейнер, содержаший индивидуальные Link State Advertisement ( LSA) о каждой анонсируемой сети.

8. Neighbors are synchronized (**FULL state**)
Now it's time to start Dijkstra SPF algorithm to analyze received data


!!! In broadcast env every router establish **FULL state** only with DR &BDR, with DR_Other **2-way state** established !!!

Packet Types

OSPF is IP protocol 89.

• Hello - Used to establish communication with directly connected neighbors
• Database Descriptor (DBD) - Lists router IDs from which the router has an LSA and its current sequence number
• Link State Request (LSR) - Request for an LSA
• Link State Update (LSU) - Reply to an LSR with the requested information
• Link State Acknowledgment (LSAck) - Used to confirm receipt of link-state information

Сертификация в ИБ

Сертификация и стандарты
1) Международные
2) Национальные
3) Отраслевые (от ЦБ для финансовой сферы, от Газпрома)
4) Корпоративные

Также делятся на
1) Обязательные
2) Спорные / неявно обязательные
3) Рекомендованные
4) Best practices

В России в сфере ИБ основные регуляторы:
1) ФСБ
2) ФСТЭК
3) Минком-связь (последнее время)
4) МинОбороны
5) ФСО
6) СВР (служба внешней разведки)

Плюс неосновные:
1) ЦБ
2) Газпром
3) PCI Council

Сертификаты:

PCI DSS ( сертификация для работы с платежными системами VISA, MasterCard, Dinner Club, JCB)
последняя версия 1.2 (от 10.2008)
12 требований
см док Cisco Secure Store для PCI

ФСТЭК СТР-К (основной базовый документ ФСТЭК на данный момент)

ФСБ защита персданных
NME-RVPN серт КС1 и КС2

PACE (cisco)
Cisco NCM - аудит на соответствие требованиям сертификации. Не только циско, поддерживает 35 вендоров.