[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: OSPF Area Security
From:       Paul Ferguson <pferguso () cisco ! com>
Date:       1997-07-11 8:54:47
[Download RAW message or body]

At 12:59 PM 07/11/97 +0200, Mike van der Walt wrote:

>I know that this is not strictly a firewall question but I thought the
>people in the field could help.
>
>How secure are the OSPF areas.
>

Not secure at all, at least not in the traditional sense. OSPF
is a *routing* protocol. It calculates topology and state information
about the network and determines the best path between nodes. There
is nothing in OSPF to explicitly provide security, other than the
fact that at least one vendor implementation provides for OSPF MD5
route authentication between OSPF peers.

The only 'protection' OPSF provides is in the architectural sense
with the implementation of OSPF areas. When a link-state announcement
(LSA) is flooded to nodes within an area, each node must recalculate
its topology database. The larger the number of nodes within an area,
and the larger the number of prefixes in the network, the longer it
takes for each node to recalculate topology state. When this takes
place within an area, nodes which reside in other areas are blissfully
unaffected. I have seen many cases where there are too many nodes within
an area and when a major link-state event occurs, it has taken several
minutes to recalculate topology information, and traffic grinded to a halt
while this event took place. However, nodes which resided in other areas
continued functioning, since they do not participate in Dijkstra
recalculations based on link-state events in other areas which they
do not reside.

>My network guys tell me that two areas sharing a single router are
>totally secure, ie. that a person on a network in area 1 cannot
>compromise the router and gain access to the network in area 2.  How
>true is this?

Ah, well this is a completely different question, and completely
unrelated to OSPF altogether. It all depends on how secure the router
is, doesn't it? One might suggest that if passwords are traveling through
the network in the clear, then it is not secure.

- paul


--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
e-mail: pferguso@cisco.com                         c i s c o S y s t e m s

[prev in list] [next in list] [prev in thread] [next in thread]