[nsp] Securing OSPF

Mark Tinka mtinka at africaonline.co.sz
Wed Jun 23 03:24:11 EDT 2004


On Wednesday 23 June 2004 08:48, Matt Stockdale wrote:
> Greetings,
>
> I'm trying to clean up an OSPF mess I've inherited, and I was curious-
>
> What are you all doing to secure your OSPF (or igrp/rip/etc, I suppose)?
> Just setting md5 keys on everything and calling it a day? Or are you
> using default passive interfaces and only running ospf on the necessary
> links? Both?

Having passive interfaces (that OSPF doesn't run on) configured is a good 
idea. I had a situation where a competitor was keeping a customer's DoD line 
up because the ISDN-PRI D-Channel the customer was connected on was receiving 
the OSPF LSA's on the default regular interval.

So aside from causing yourself costly problems with the customer, you save 
yourself the risk of a clued customer injecting something in your IGP, just 
for kicks.

>
> I've basically got a single OSPF area where routing information for 3
> superblocks (2 /19's and an /18) is exchanged over routers all
> configured w/ an ospf network of a single class C, resulting in 95% of
> the routes being OSPF external type 2. I figure the solution is to add
> all of the network space to the 5 or 6 different OSPF speaking devices'
> ospf instances, and use ospf passive-interface default on our hybrid
> 6500s and CT3 T1 aggregator to avoid speaking/receiving OSPF to the 200
> or so connected subnets.
>
> This seems like a good idea to me, but it is 2:45am here. Can anyone
> sanity-check my thoughts?

That's definitely a good idea. 

OSPF (and most other IGP's) support filtering using distribute-lists. The 
difference is that in BGP, a filter of this nature is applied on a per 
neighbor basis, while in an IGP it's applied globally to the routing 
protocol. This means it would affect all interfaces taking part in the OSPF 
process.

However, you may overcome this by specifying, at the end of the distribute 
list statement, the interface on which you would like to apply it.

One advantage of using distribute-lists in IGP is that you can use 
prefix-lists with the IGP, unlike BGP (following IOS 12.0).

Mark.

>
> Also, is there a better searchable cisco-nsp archive than the offical
> one at https://puck.nether.net/pipermail/cisco-nsp/? For all I know,
> this has been answered before.
>
> Thanks,
>   Matt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list