Thunder Hawk Down

Today we go through the example of Thunder Hawk Down. Apologies for the slow reply. I had my engagement party on Saturday night and found myself busy getting ready last week.

Just recapping on the objectives.

Objectives

  • – Configure RID’s/Interface IP’s and Loopbacks.
  • – Establish an OSPF link from Space Wolves HQ Area 0 to Main Gate Comms Tower Area 252.
  • – Secure the link with the strongest authentication possible.
  • – Establish a Virtual link for Area 164 back to Area 0.
  • – Secure the link.
  • – Verify and inform the Icebane to hold on.

Step 1

Configure Router Hostnames and Line Console Parameters

Here under each router I configure the Hostname to allow for identification of devices. Under line con 0 I configure no exec-timeout. This means my console session will no log out. This is great for GNS3 as idle-pc values stop working and my CPU maxes to 100%. Never use no exec-timeout in a production environment. Logging synchronous stops console messages from interrupting you whilst you type.

HQ

hostname HQ

line con 0
no exec-timeout
logging synchronous

MainGate

hostname MainGate
line con 0
no exec-timeout
logging synchronous

Icebane

hostname Icebane
line con 0
no exec-timeout
logging synchronous

Step 2

Configure Interface IP addresses and Loopbacks

Here I have configured the IP addresses according to the scheme. I have added descriptions to help identify links. The ip ospf network point-to-point command advertises the proper subnet mask into the routing table.

HQ

int s0/0
desc Link to Main Gate
clock rate 64000
ip add 10.137.88.5 255.255.255.252

no shut

MainGate

int s0/0
desc Link from HQ
ip add 10.137.88.6 255.255.255.252
no shut
int s0/1
ip add 10.137.88.1 255.255.255.252
desc Link to Crash Site
clock rate 64000
no shut
exit
int lo100
ip add 192.168.100.1 255.255.255.252
ip ospf network point-to-point
int lo200
ip add 192.168.100.5 255.255.255.252
ip ospf network point-to-point
int lo300
ip add 192.168.100.9 255.255.255.252
ip ospf network point-to-point
int lo400
ip add 192.168.100.13 255.255.255.252
ip ospf network point-to-point

Icebane

int s0/1
ip add 10.137.88.2 255.255.255.252
desc Link from Main Gate
ip ospf message-digest-key 1 md5 spacewolf
no shut
exit
int lo100
ip add 172.16.16.1 255.255.255.0
ip ospf network point-to-point
int lo101
ip add 172.16.17.1 255.255.255.0
ip ospf network point-to-point
int lo102
ip add 172.16.18.1 255.255.255.0
ip ospf network point-to-point
int lo103
ip add 172.16.19.1 255.255.255.0
ip ospf network point-to-point
int lo104
ip add 172.16.20.1 255.255.255.0
ip ospf network point-to-point

Confirm links are up and up with show ip int br.

MainGate

MainGate(config-router)#do show ip int br
Interface                  IP-Address               OK? Method Status                          Protocol
FastEthernet0/0            unassigned        YES unset     administratively down   down
Serial0/0                  10.137.88.6             YES manual   up                                 up
FastEthernet0/1            unassigned        YES unset     administratively down   down
Serial0/1                  10.137.88.1             YES manual   up                                 up
Loopback100                192.168.100.1    YES manual   up                                 up
Loopback200                192.168.100.5    YES manual   up                                 up
Loopback300                192.168.100.9    YES manual   up                                 up
Loopback400                192.168.100.13  YES manual   up                                 up

Step 3

Initiate the OSPF Process on the routers. Confirm configuration.

HQ

router ospf 1
router-id 1.1.1.1
network 10.137.88.0 0.0.0.255 area 0

MainGate

router ospf 1
router-id 2.2.2.2

network 10.137.88.0 0.0.0.3 area 252
network 10.137.88.4 0.0.0.3 area 0
network 192.168.100.0 0.0.0.255 area 252

Icebane

router ospf 1
router-id 3.3.3.3
network 10.137.88.0 0.0.0.3 area 252
network 172.16.16.0 0.0.7.255 area 164

It is important to set the router-id. This comes in handy for a number of things such. Reading outputs and confirming changes in the OSPF process. In our case, we need it set for the Virtual Link to re-establish communication to the Icebane.

Step 4

Configure OSPF Virtual Link between Icebane and MainGate. Communication must be authenticated.

A sense of urgency has frenzied the Orks. We must securely re-establish contact with our brethren. A quick set of commands will allow connectivity to the downed bird.

HQ

int s0/0

ip ospf message-digest-key 1 md5 spacewolf

router ospf 1

area 0 authentication message-digest

MainGate

int s0/0
ip ospf message-digest-key 1 md5 spacewolf

int s0/1
ip ospf message-digest-key 1 md5 spacewolf

router ospf 1

area 0 authentication message-digest
area 252 authentication message-digest
area 252 virtual-link 3.3.3.3 message-digest-key 1 md5 spacewolf

Icebane

int s0/1

ip ospf message-digest-key 1 md5 spacewolf

router ospf 1

area 0 authentication message-digest
area 164 authentication message-digest
area 252 authentication message-digest
area 252 virtual-link 2.2.2.2 message-digest-key 1 md5 spacewolf

It is extremely important to set this up correctly. Under the OSPF process you must enable area-wide authentication. This is done on each other. In the case of MainGate there is an interface in each area. This means the command must be entered for each area the BDR sits in.

This is demonstrated by the area 0 and area 252 commands.

MD5 must be configured area wide then on the virtual links. The Virtual Links authentication type must match the area authentication type. In this case we need a secure link so we are going to use Message-Digest.

Area 252 virtual-link 3.3.3.3 command on the MainGatec creates the virtual link. On Icebane, it must be configred as 252 virtual-link 2.2.2.2. The reason Icebane uses area 252 is that the virtual link must be configured with the area that it traverses to reach Area 0.

Adding on the message-digest-key 1 md5 spacewolf ensures that the md5 authentication is used on the virtual link. The number 1 stipulates the key #, md5 the type, and the passkey of spacewolf. The passkey is case sensitive.

Under each interface the command ip ospf message-digest-key 1 md5 spacewolf command must be issued. This specifies md5 authentication using key 1 and the type of auth as md5. The use of the passkey spacewolf is used here.

You can confirm the status of the virtual link by issuing the following

MainGate#  show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 3.3.3.3 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 252, via interface Serial0/1, Cost of using 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Adjacency State FULL (Hello suppressed)
Index 2/3, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Message digest authentication enabled
Youngest key id is 1

The second line states that OSPF_VL0 (the virtual link we set up) to 3.3.3.3 (Icebane) is up. The second last line shows MD5 is being used and the key number 1 which we set to use the passkey of spacewolf is being used.

Step 5

Verify

Now some show commands

Icebane(config-router)#do show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 5 subnets
C       172.16.20.0 is directly connected, Loopback104
C       172.16.16.0 is directly connected, Loopback100
C       172.16.17.0 is directly connected, Loopback101
C       172.16.18.0 is directly connected, Loopback102
C       172.16.19.0 is directly connected, Loopback103
10.0.0.0/30 is subnetted, 2 subnets
C       10.137.88.0 is directly connected, Serial0/1
O       10.137.88.4 [110/128] via 10.137.88.1, 00:09:10, Serial0/1
192.168.100.0/24 is variably subnetted, 4 subnets, 2 masks
O       192.168.100.12/30 [110/65] via 10.137.88.1, 00:09:40, Serial0/1
O       192.168.100.8/30 [110/65] via 10.137.88.1, 00:09:40, Serial0/1
O       192.168.100.4/30 [110/65] via 10.137.88.1, 00:09:40, Serial0/1
O       192.168.100.1/32 [110/65] via 10.137.88.1, 00:09:41, Serial0/1

Voila! Connection to area 0 and 252. This is show by the connection to 10.137.88.4 network (Serial link from HQ to MainGate). A quick ping to confirm.

Icebane(config-router)#do ping 10.137.88.5

Sending 5, 100-byte ICMP Echos to 10.137.88.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/53/88 ms

“Icebane, Icebane, this is Brother Commander Longfang do you copy? We are closing on your position. Hold tight. Over”

A foul stench permeated the air. Blood, Bile and bullet casings were scattered amongst the green tide. The surging sea of Greenskins had been calmed to a pool of death. The sight before the Space Wolves was enough to turn the most seasoned warriors bowels to water. Yet, they moved onwards with a sense of loss setting in.

“Co…Comm…Darius” a meek voice called out in amongst the sea of Orks “Thank you”. It was Captain Jelk of the 2nd Heavy Division. He had been severely injured and desperately required a medic. With communications restored, a Thunderhawk with the Clans Apothecaries arrived on site within minutes and plucked the stranded and injured troops to safety.

Darius surveyed the scene. He muttered to no one in particular, “On the wings of darkness do these Orks ride. Something else gives hast to their passage. Praise Russ that we find them soon.”

Advertisements

Ciscopress eBook Dead of the Day ROUTE OCF $9.99

Ciscopress.com offer the book of the day. Digital copies of their books for $9.99. Massively reduced, these e-books come personalized with your name. Winking smile

 

image

 

For the past couple of days, the CCNP ROUTE 642-902 OCF has been up for sale. Good price for a good book. Great for the iPad or Laptop.

OSPF Authentication– Clear Text vs MD5. What is the difference?

 

 

Grimnar’s Black Fangs. Magingald IV.

 

<<<.//TRNMSN.SEC.CH.412-a.\\>>>

…buffering…

 

“The importance of security is paramount, Brother Captain. You must implement the right type of Authentication on our OSPF links. Our secure channels must stay open while we are besieged or all will be lost. The heretics will attempt to compromise your network and you must strengthen our defenses. Praise the Emperor and see you on the other side. Fang Leader Grimnar out”

 

image

 

OSPF authentication is setup under the interface. The command ip ospf authentication enables clear text authentication. Next command specifies the key, in this case cisco. The neighbors with expire due to authentication mismatch.

 

image

 

Now the same is configured on the opposite link and the neighbors agree on authentication and establish a neighbor relationship.

 

image

 

The command show ip ospf interface serial 0/0 shows that Simple password authentication is enabled.

 

image

 

Dangers lurk from beyond the void. If heretics manage to infiltrate the network a simple packet capture could be all that stops them from joining the OSPF process and tampering with your links. This capture of a OSPF hello packet shows the Auth Type: Simple Password. Also shows the Auth Data: cisco captured from the Hex information. 636973636f000000 translates into cisco. This is bad and a major security flaw that Fang Leader Grimnar wanted addressed.

 

image

The ip ospf authentication message-digest command initiates MD5 hashing on the pass key.

The passkey of cisco is set below with the ip ospf message-digest-key 1 md5 cisco

 

image

This is replicated on the other end of the link. The link expires and then comes back online using the MD5 key.

 

image

Above is verification of the implementation of the MD5 key.

 

image

 

Show above is the packet capture of the MD5 key in use. Before it had the plain text key of cisco clearly visible. Now there is Auth Type : Cryptographic which states cryptography is being used. Auth Data this time is hashed. No easy password extraction this time.

 

image

Here is the show running config of the router. Look there. Although we are using MD5 authentication out password is still visible. If the heretics broke into our config our Chapters passwords would be compromised.

 

image

This command will hash and ‘hide’ the passwords we using throughout our routers. Any password stored in clear text will be hashed.

 

image

As mentioned prior, the clear text passwords are now stored in a more secure fashion.

 

As our landing party has made it’s beachhead we now have established secure communication between our landing craft and the landing zone. Well done Brothers. This day is for the Emperor.

Weekend Labbing

This weekend I have finished reading over EIGRP (more study notes to come) and started to lab and put into practice the theory.

I have at my disposal the GNS3 Labs from CBT Nuggets ROUTE track, the Network Academy ROUTE Lab book.

These two resources provide a solid foundation to my practical studies. I have found that they give me directions when trying to lab a new concept. This then gets me rolling and then I can make my own to ensure the topic is firmly embedded in my brain and not leaking out my other ear.

I believe the best way to make it stick is blog examples of my configurations with an imaginary company.

Not sure of the name just yet but I do believe it will help.

EIGRP Packets

 

Time to play packets. EIGRP Packets to be precise.

 

EIGRP when running in a routed environment utilizes five types of packets. A Hello, Update, Query, Reply and Acknowledgement (ACK) packet.

 

Hello Packets

Pretty much used for neighbor discovery. Multicasts with ACK # of 0.

 

Update

Update packets contain route change information. They are send to affected routers. Updates routers that the particular route has used to converge. Sent as multicasts when a route becomes passive. Syncs by unicasting during startup. Sent reliably.

 

Query

Performed in route computation when no FS is found. Sent to neighbors asking if they have a route to destination. Usually multicast but can be send as unicast. Sent reliably.

 

Reply

Send in response to a query. Must always reply. Sent reliably.

 

ACK

Acknowledges updates, queries, and replies. Unicast hello’s that contain a non zero ACK number. (Hello’s and ACK don’t require ACK’s)

 

 

image

 

Above An example Hello Packet. Notice the information provided by a simple packet sniff.

 

image

 

Above Here is an exchange of connected routes via an Update packet.

 

image

Above An example of another update packet, this time declaring it cannot reach certain networks.

 

 

A thank you to Stretch over at Packetlife for his Captures library. I am currently away from my lab.

EIGRP–Study Notes

ROUTE begins with a EIGRP brush up and pow-wow. I ❤ EIGRP due to it’s fast failover times but being proprietary it makes me a little sad.

Fun Facts

 

An Advanced Distance Vector Routing Protocol.

Keeps Backup Routes  in Topology table as FS

 

Combined the best attributes of a DV whilst not being as intensive as OSPF with Databases.

 

Summarization can be done anywhere unlike OSPF at ABR and ABSR

Unequal load cost balancing .

EIGRP uses Multicast and Unicast rather than broadcast. It uses the multicast address of 224.0.0.10

Administrative Distance – Cost between Routers

Feasible Distance – The sum of costs.

 

Successor –  Route with lowest FD to destination. Proven to not be a part of a Routing Loop.
Successors are offered to the Routing Table to Forward packets. Can be many if they have same FD.

 

Feasible Successor – DUAL remembers backup paths. 2nd best route to Destination. Kept in the topology table. FS are selected when successors are. Topology table maintains many FS’s.

Neighbor table

Everyone Router contains a neighbor table with Directly Connected router. Neighbor relationship stable with Hello Packets. Neighbor tables include data such as address of each neighbor, interface it is connected too and keeps Round Trip Timers in regards to optimal retransmission periods.

 

Topology table

Topology table lists best routes to a network, Successor routes, Also lists second best routes, known as Feasible Successor. (Also 3rd, 4th and so on). Instantaneously switches. Topology table maintains the metric that neighbors advertise for each destination (AD). Also the metric that the router would use to reach the dest. Via the( FD).

 

If there is a topology change, DUAL gets funky. It immediately checks if it has a FS to the Destination. If it does, no computation is required and the FS becomes the successor.

 

If there is no FS, the router sends out Query Packets to its neighbors.  If any neighbors have routes to the destination they send back a Reply Packet. If not, the neighbor sends Query packets to it’s neighbors. During this stage the destination is in Active state, a router cannot change Routing table information for the destination.

 

No route from neighbors reply with unreachable. If at least one has a route the destination returns to a passive state and becomes successor.

 

Routing table

Routing Table (show ip route shows off the best routes the router knows about).

Router compares all FDs to reach a specific network and selects the lowest FD . It earns it’s place in the routing table. FD chosen for the successor is the EIGRP metric to reach that network in the table.

image

Above: Notes regarding the Neighbor table, Topology table and Routing table.

Not a bad start. The understanding of EIGRP’s tables is paramount to it’s success maintaining uptime in your EIGRP environment.