====== OSPF mit Authentifizierung über SHA256 ======
Seit AOS Release 8.7 ist es möglich OSPF über die Security Key-Chain zu authentifizieren:
sw7 (6860-A) -> security key 123 algorithm
aes-cmac-128 aes-gcm-256 sha224 sha512
aes-cmac-256 md5 sha256 simple
aes-gcm-128 sha1 sha384
Dabei stehen nicht alle Verfahren für alle Protokolle/Anwendungen zur Verfügung. Die Verfahren aes-gcm-128 und aes-gcm-256 werden hier rein für MACsec verwendet (je nach Hardwareplattform).
===== CLI-Ausgaben =====
==== show ip ospf interface ====
sw7 (6860-A) -> show ip ospf interface vlan-20
Interface IP Name = vlan-20,
Interface IP Address = 192.168.20.7,
Interface IP Mask = 255.255.255.0,
Domain Name = Vlan,
Domain ID = 20,
Admin Status = Enabled,
Operational Status = Up,
OSPF Interface State = DR,
Interface Type = Broadcast,
Area Id = 0.0.0.0,
Designated Router IP Address = 192.168.20.7,
Designated Router RouterId = 192.168.20.7,
Backup Designated Router IP Address = 192.168.20.8,
Backup Designated Router RouterId = 192.168.20.8,
MTU (bytes) = 1500,
Metric Cost = 1,
Priority = 1,
Hello Interval (seconds) = 10,
Transit Delay (seconds) = 1,
Retrans Interval (seconds) = 5,
Dead Interval (seconds) = 40,
Poll Interval (seconds) = 120,
Link Type = Broadcast,
Authentication Type = keychain(1),
# of Events = 2,
# of Init State Neighbors = 0,
# of 2-Way State Neighbors = 0,
# of Exchange State Neighbors = 0,
# of Full State Neighbors = 1,
# of type-9 LSAs on this interface = 0,
BFD status = Disabled,
DR-Only Option for BFD = Disabled
===== Beispielkonfiguration =====
==== Switch 7 ====
sw7 (6860-A) -> show configuration snapshot ip ospf security
! IP:
ip interface "vlan-20" address 192.168.20.7 mask 255.255.255.0 vlan 20 ifindex 1
! OSPF:
ip load ospf
ip ospf area 0.0.0.0
ip ospf interface "vlan-20"
ip ospf interface "vlan-20" area 0.0.0.0
ip ospf interface "vlan-20" auth-type key-chain 1
ip ospf interface "vlan-20" admin-state enable
ip ospf admin-state enable
! Security:
# Folgendes ist die Eingabe via CLI:
security key 123 algorithm sha256 key ALESecret2023abcd start-time 02/08/2023 00:00
# In der vcboot.cfg Konfiguration steht dann allerdings folgendes:
#security key 123 algorithm sha256 encrypt-key 6c79d5a17a685ee2deb06299 start-time 02/07/2023 00:00
security key-chain 1 name "OSPF"
security key-chain 1 key 123
==== Switch 8 ====
sw8 (6860-B) -> show configuration snapshot ip ospf security
! IP:
ip interface "vlan-20" address 192.168.20.8 mask 255.255.255.0 vlan 20 ifindex 1
! OSPF:
ip load ospf
ip ospf area 0.0.0.0
ip ospf interface "vlan-20"
ip ospf interface "vlan-20" area 0.0.0.0
ip ospf interface "vlan-20" auth-type key-chain 1
ip ospf interface "vlan-20" admin-state enable
ip ospf admin-state enable
! Security:
security key 123 algorithm sha256 encrypt-key 6c79d5a17a685ee2deb06299 start-time 02/06/2023 00:00
security key-chain 1 name "OSPF"
security key-chain 1 key 123
===== Typische Fehlermeldungen =====
==== Verwendete Key-Chain / Key Kombination noch nicht gültig ====
In meinem Beispiel habe ich auf dem verwendeten Switch das falsche Datum verwendet, der Eintrag in der Key-Chain war erst ab 08.02.2023 gültig, allerdings lief der Switch noch auf 07.02.2023.
Tue Feb 7 14:17:46 : ospf_0 AUTH ERR message:
+++ ospfAuthSet: Set crypto auth error (-1)! intf 192.168.20.7, ipda 224.0.0.5.
Tue Feb 7 14:17:46 : ospf_0 SEND INFO message:
+++ ospfIpSend: Set auth failed on pkt, intf 192.168.20.7, ipda 224.0.0.5. digestLen -1
==== Authentifizierung des Nachbarn fehlgeschlagen ====
Tue Feb 7 14:24:43 : ospf_0 AUTH ERR message:
+++ ospfAuthCheck: Intf 192.168.20.7: Auth type 2 mismatch! recvd pkt = (0)
==== Passwort im Klartext nicht lang genug ====
sw7 (6860-A) -> security key 123 algorithm sha256 key ALESecret2023 start-time 02/08/2023 00:00
ERROR: Plaintext keylength supported range is [16-118]
==== Versuch SHA512 zu verwenden schlägt fehl ====
Derzeit wird nur SHA256 unterstützt
sw7 (6860-A) -> security key 222 algorithm sha512 key ALESecret2023bbbb start-time 02/06/2023 00:00
ERROR: Unsupported auth-type! Only sha256 is supported in this release