[nsp] Securing OSPF

Tantsura, Jeff jeff.tantsura at capgemini.com
Fri Jun 25 13:07:45 EDT 2004


Hi,

1. use loopback interface as router-id, it's also a good idea to use an
apart IP range for the infra loopbacks.
2. use passive interface default
3. in the network statement use netmask that matches your OPSF interface
netmask.
4. use md5 passwords.

Hope this helps
Jeff

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matt Stockdale
Sent: Wednesday, June 23, 2004 8:49 AM
To: cisco-nsp at puck.nether.net
Subject: [nsp] Securing OSPF

Greetings,

I'm trying to clean up an OSPF mess I've inherited, and I was curious-

What are you all doing to secure your OSPF (or igrp/rip/etc, I suppose)?
Just setting md5 keys on everything and calling it a day? Or are you
using default passive interfaces and only running ospf on the necessary
links? Both?

I've basically got a single OSPF area where routing information for 3
superblocks (2 /19's and an /18) is exchanged over routers all
configured w/ an ospf network of a single class C, resulting in 95% of
the routes being OSPF external type 2. I figure the solution is to add
all of the network space to the 5 or 6 different OSPF speaking devices'
ospf instances, and use ospf passive-interface default on our hybrid
6500s and CT3 T1 aggregator to avoid speaking/receiving OSPF to the 200
or so connected subnets.

This seems like a good idea to me, but it is 2:45am here. Can anyone
sanity-check my thoughts?

Also, is there a better searchable cisco-nsp archive than the offical
one at https://puck.nether.net/pipermail/cisco-nsp/? For all I know,
this has been answered before.

Thanks,
  Matt

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




Our name has changed.  Please update your address book to the following format: "recipient at capgemini.com".

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient,  you are not authorized to read, print, retain, copy, disseminate,  distribute, or use this message or any part thereof. If you receive this  message in error, please notify the sender immediately and delete all  copies of this message.




More information about the cisco-nsp mailing list