Introduction Core 1 is originating default route for ISP cloud with metric of 30. The same route is used for serving customers who are looking for internet. A customer CE which connected with PE with static routing. PE interface which is attached with switch is advertised in OSPF. Clinet’s administrator knows little bit routing and know how to sniff the traffic. He replaced the router with his laptop and trying to sniff the packets over ethernet and found very intersting results.  http://www.mplsvpn.info Figure 1 Given figure 2 which depicts clearly auth type = Null & area = 0.0.0.1. It means the neighboring ISP interface is using area 1 for OSPF. Now the trick will work simply advertise the PE facing in OSPF with area 1. After that see the magic and OSPF neighborship will come. Now simply run “show ip route”command on CE router. You will find a default route with metric 30. Now create a default route and redistribute in OSPF with metric 10. This route will flood in ISP network like nothing and you will become the common point of contact for all the traffic. If clinet is using a good sniffer then lot of problems could occur. In this way you can hack your ISP network.  http://www.mplsvpn.info Figure 2 How to Solve the problem? Simply use passive interface command under OSPF process. By using this command the interface is not going to respond any of the OSPF packets. Another workaround for the problem: Use OSPF authentication. When the authentication is enabled CE administrator is trying to sniff the packets; definately he will be receiving the packets but in the packet header it is very much clear that without authentication you cannot enter.  http://www.mplsvpn.info Figure 3 But client administrator could come to know about the area id & may be with the help of some tool he is able to crack the key. So as per me we should have to use the both things (Passive Interface & OSPF authentication) to make ISP network secure. We have perception in our mind to use authentication in area 0 only. Try to make area 0 more secure; This is truly wrong technique. Once attacker is able to make the neighborship he will receive all the routes. Attacker will always comes to your end not in the core definitately if you are not attacker Author Shivlu Jain shivlu@mplsvpn.info http://www.mplsvpn.info |
OSPF >