11 Ocak 2018 Perşembe

Open Shortest Path First - OSPF

Giriş
OSPF, Interior Routing Protocol ailesindeki routing algoritmalarından birisi. Yani router'lar arasında yönlendirme bilgisi (route information) paylaşımı için var.
Trafiği engellemek için OSPF değil firewall veya router üzerindeki ACL kullanılır. ACL için şöyle yaparız. "in" kelimesi ile Router kendi Area'sından çıkan trafiği engeller.
access-list 10 deny ip any 10.111.0.0 0.0.255.255
access-list 10 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group 10 in
!
OSPF yerel ağda (LAN) çalıştırılmaz.
RFC 7474, Security Extension for OSPFv2 When Using Manual Key Management
Açıklaması şöyle
6. Mitigating Cross-Protocol Attacks
In order to prevent cross-protocol replay attacks for protocols sharing common keys, the two-octet OSPFv2 Cryptographic Protocol ID is appended to the authentication key prior to use. Refer to the IANA Considerations (Section 9).
IP
OSPF direkt IP ile çalışır. IP paketindeki protokol alanını 89 yaparak paketleri gönderir.

4.3.  Routing protocol packets

    The OSPF protocol runs directly over IP, using IP protocol 89.
    OSPF does not provide any explicit fragmentation/reassembly
    support.  When fragmentation is necessary, IP
    fragmentation/reassembly is used.  OSPF protocol packets have
    been designed so that large protocol packets can generally be
    split into several smaller protocol packets.  This practice is
    recommended; IP fragmentation should be avoided whenever
    possible.
Dolayısıyla TCP'deki gibi port numarası kullanmaz. Aynı ICMP mesajlarındaki gibi portsuz çalışır. Açıklaması şöyle
There are things like IGP protocols, e.g. EIGRP or OSPF transport protocols that do not use port numbers.
Flooding
Açıklaması şöyle
Flooding in OSPF (layer-3) means that the routes get delivered to every OSPF router in an area. OSPF doesn't use broadcasts to send routes, it uses unicast or multicast to connect with its neighbors. Each OSPF router needs to have a full understanding of all the routers and routes in its area, and it tells all its neighbors about all its local routes, and any routes it hears about from other neighbors.
Broadcast kullanılmadığına dair bir başka açıklama şöyle
You are confusing the layer-2 flooding with OSPF flooding. The routers in an OSPF area may not all be directly connected, but every router in the area needs to have a full understanding of all the other routers and networks in the area. OSPF floods this information to every other router in the area, even if some of the other routers may not be reachable by layer-2 frames from the flooding router.

Broadcast requires that the routers be on the same network. This is strictly true for Limited Broadcast, and Directed Broadcast should be disabled due to security concerns
Multicast için açıklama şöyle
OSPF routers join specific multicast groups: 224.0.0.5 for all routers and 224.0.0.6 for DR/BDR routers. OSPF routers do not forward these multicasts -- they stay on the local link.

Autonomous System
Bu algoritmada bir Autonomous System vardır ve bu sistem bireysel alanlara (area) bölünmüştür. Her alan içinde bir veya daha fazla router olabilir.

Area
Açıklaması şöyle
Areas exist as a mechanism to control database scale in OSPF by hiding and abstracting information.
Açıklaması şöyle
Each OSPF router in an area has a full understanding of all the routes and routers within the area.
Her router sadece komşusunu bilgilendirir. Açıklaması şöyle
OSPF does not form peering sessions like BGP does, it establishes neighbor relationships; the time to live (TTL) value of OSPF packets is 1.
Cisco Router'larda
show ip ospf database
komutu her alandaki router'ları listeler. Eğer OSPF verisini silmek istersek
clear ip ospf process
komutunu kullanırız.

Cost
Bu algoritma tek bir metrik kullanır. Cisco dünyasında bandwidth değeridir. Bu değer 10^8 / Bandwidth olarak hesaplanır. Aşağıdaki şekilde tek metrik bakış açısı görülebilir.
    /----A-----10Mbps-----C----\
   /     |                |     \
X-1Gbps 1Gbps           1Gbps  1Gbps--Y
   \     |                |     /
    \----B-----10Mbps-----D----/
Elimizde Area 0, Area 1 ve Area 2 olsun.
  Area 0         |                 Area 1               |    Area 2
  Cost 10               Cost 10              Cost 10             Cost 10 
10.0.0.0/24<-->R1<--> 10.0.1.0/24<-->R2<-->10.0.2.0/24<->R3<-->10.0.3.0/24
Area 2'deki R3, Area 0'daki R1'e olan cost değerini 30 olarak hesaplar.

Area 0
Alanlar bir başka alan ile sadece Alan 0 aracılığıyla konuşabilirler. Açıklaması şöyle
3.1. The backbone of the Autonomous System
The OSPF backbone is the special OSPF Area 0 (often written as Area 0.0.0.0, since OSPF Area ID's are typically formatted as IP addresses). The OSPF backbone always contains all area border routers. The backbone is responsible for distributing routing information between non-backbone areas. The backbone must be contiguous. However, it need not be physically contiguous; backbone connectivity can be established/maintained through the configuration of virtual links.
Area 0 olmamasının tek sebebi zaten sadece bir area olmasıdır. Açıklaması şöyle
There is only one way to use OSPF without an Area 0, and that is to use OSPF with a single area. If you only have one OSPF area, you can number it any way you like, but if you have even two areas, you must have an Area 0.
Area Border Router (ABR) Router hem Alan 0 hem de diğer alan ile bağlantısı olan cihaza verilen isimdir. Area 0 şöyledir.


Ve ya şöyledir.

Convergence Time
Şu anlama gelir :
the time it takes to rebuild the route database due to link failure/restart.
Bu sürenin ölçülmesi gerekir.
Ayarlar
Açıklaması şöyle
When configuring OSPF, the network statements tell OSPF which interfaces will participate in the OSPF process, and in which are those interfaces are. Secondary networks configured on interfaces do not participate in the OSPF process, although they may be advertised in OSPF. You can have a single OSPF network statement which encompasses multiple interfaces, e.g. network 0.0.0.0 255.255.255.255 area 1234 will run OSPF on all interfaces, and all the interfaces will be in Area 1234
Önce arayüzler yazılır. Daha sonra OSPF uygulamasının hangi arayüzleri kullanacağı belirtilir. Şöyle yaparız.

interface 1 : 10.0.0.254/24
interface 2 : 10.0.1.254.24
inteface 3 : 10.0.2.254/24
ospf : network 10.0.0.0/23
Bu örnekte ospf interface 1 ve interface 2 'yi i kullanır.  Çünkü 10.0.0.254/24 ve 10.0.1.254/24 ospf için tanımlanan 10.0.0.0/23'ün subnetidir. Eğer alanlara bölmek istersek şöyle yaparız.
ospf : network 10.0.0.0/23 area 0
ospf : network 10.0.2.0/24 area 1
Basit Bir Örnek
Area1'deki bir Router ayarı şöyledir.
interface Serial2/0
 ip address 20.1.1.2 255.255.255.252
!
router ospf 1
 network 20.1.1.0 0.0.0.3 area 1
!
Area2'deki bir Router ayarı şöyledir.
interface Serial3/0
 ip address 20.1.2.2 255.255.255.252
!
router ospf 1
 network 20.1.2.0 0.0.0.3 area 2
Area0'daki bir Router ayarı şöyledir. Her iki area ile de konuşabilmesi için 2 arayüzü vardır.
interface Loopback0
 ip address 20.0.0.1 255.255.255.255
!
interface Serial2/0
 ip address 20.1.1.1 255.255.255.252
!
interface Serial3/0
 ip address 20.1.2.1 255.255.255.252
!
router ospf 1
 network 20.0.0.1 0.0.0.0 area 0
 network 20.1.1.0 0.0.0.3 area 1
 network 20.1.2.0 0.0.0.3 area 2
OSPF Shortest Path First Kullanır
Shortest Path First (SPF) hesaplama için bazı timer'lar kullanır.
  • Initial SPF schedule delay 5000 msecs
  • Minimum hold time between two consecutive SPFs 10000 msecs
  • Maximum wait time between two consecutive SPFs 10000 msecs
OSPF Router ID
Router ID sayısının nasıl belirleneceği belirsiz bırakılmış. Açıklaması şöyle
Router ID
A 32-bit number that uniquely identifies this router in the AS. One possible implementation strategy would be to use the smallest IP interface address belonging to the router. If a router's OSPF Router ID is changed, the router's OSPF software should be restarted before the new Router ID takes effect. In this case the router should flush its self-originated LSAs from the routing domain (see Section 14.1) before restarting, or they will persist for up to MaxAge minutes.
Cisco cihazlarda bu sayının belirlenmesi için kurallar şöyle
1. Manually configure a 32-bit Router-ID.
2. Highest IP of the loop back interface, if 1 is not configured.
3. Highest IP of any active interface,if 1 & 2 has not configured.

OSPF Designated Router
Router'lar arasındaki kontrol trafiğini azaltmak için Designated Router (DR) kullanılabilir. DR Link State Advertisement (LSA) mesajlarını diğer router'lar adına üretir.  DR hello mesajlarındaki priority alanına göre seçilir. Eğer iki router aynı priority değerine sahipse en büyük Route ID değerine sahip cihaz DR seçilir.

Bir router bir kere DR seçildikten sonra daha büyük ID değerine sahip bir başka router gelse bilse seçim tekrarlanmaz. Açıklaması şöyle
Once a router becomes the DR, it remains the DR even if a new adjacency is formed with another router with a higher RID.

In other words, a DR gets elected "President for Life."
3 tane router olan bir ağda şöyle bir yapı görebiliriz. R3 Hello mesajı içinde DR ve BDR seçilen router'ları yayınlar.
R1(DR)--R2(BDR)  
   \      /
    \    /
     \  / 
      \/  
R3 HELLO=(DR=R1, BDR=R2)
Administrative Distance
Cisco cihazlarda OSPF için  Administrative Distance (AD) 110'dur. AD farklı routing protokollerinden aynı route gelirse hangisinin daha güvenilir olduğunu belirler. Cisco için en güvenilir EIGRP (90),  daha sonra OSPF (110) ve en son RIP (120) protokolüdür. Açıklaması şöyle
Regardless of a route’s metric or administrative distance, OSPF will choose routes in the following order:
  1. Intra-Area (O)
  2. Inter-Area (O IA)
  3. External Type 1 (E1)
  4. External Type 2 (E2)
  5. NSSA Type 1 (N1)
  6. NSSA Type 2 (N2)
You simply cannot get OSPF to prefer an external route over an internal route.
Açıklaması şöyle
From cisco spec:
distance (OSPF)
To define an administrative distance, use the distance command in the appropriate mode.
distance ospf
To define Open Shortest Path First (OSPF) route administrative distances based on route type, use the distance ospf command
Açıklaması şöyle
The first command sets the AD for all routes learned by OSPF. This is basically the traditional AD command, as seen in IOS since they invented dirt.

The second allows you to set different AD's for different types of OSPF routes - so different values for externals vs inter-area vs intra-area. I suppose the idea here is to be able to prefer, say, a route learned within an OSPF area to one learned from IS-IS but to continue to use the IS-IS route if the OSPF route is external (i.e. redistributed in).
Paket Tipleri
OSPF'te şu çeşit paketler bulunur.
1. LSA - Link State Advertisement. Buna aynı zamanda Hello (discover neighbors) paketleri de deniliyor.
2. DBD - Database description
3. LSR - Link State Request
4. LSU - Link-State Update
5. LSAck - Link-State Acknowledgment

1. Link State Advertisement - LSA
Açıklaması şöyle.
Link state advertisement It is a message that communicates the router's local routing topology to all other local routers in the same OSPF area. This LSA has types depend on the type of router and has also sequence number.
LSA ve TTL
LSA için TTL açıklaması şöyle.
LSAs have a TTL of 1. So they aren't forwarded past directly connected neighbors.
LSA 1
Tüm OSPF router'ları Type 1 ve Type 2 LSA üretirler. Type 1 LSA için "Link State ID" ve "Advertising Router" alanları aynıdır.

LSA 3 ve 4
Area Border Router'lar Type 3 ve Type 4 LSA üretirler.

LSA % Tipi
ASBR Router'lar Type 5 LSA üretirler.

LSA vulnerability ile ilgili bir yazı şöyle, ama ne olduğunu anlamadım.
Now let us turn to the second part of the vulnerability. The OSPF standard (Section 16.1) specifies that during the routing table calculation phase LSAs are looked up in the LSA database “based on the Vertex ID”. The vertex ID refers in the standard to the LSA’s Link State ID field. This means that while a router calculates its routing table, it identifies LSAs on the basis of their Link State ID field only and not on the basis of the full LSA identifier, which also includes the Advertising Router and LS type fields. That the lookup is based on the partial identifier is explicitly reiterated in footnote 14 of the standard, which also explains the motivation behind this: “[14] There is one instance where a lookup must be done based on partial information. This is during the routing table calculation, when a network- LSA must be found based solely on its Link State ID. The lookup in this case is still well defined, since no two network-LSAs can have the same Link State ID.” Namely, the standard motivates this lookup by saying that during the routing table calculation the full identifier of Network-LSAs is not known. However, it seems that the standard unduly generalized this partial information lookup to Router-LSAs as well, despite the full identifier of a Router- LSA being known during the routing calculation phase 2
2. Database description - DBD
Açıklaması şöyle.
Every OSPF router maintains a Link state database (LSDB). Each router stores the received LSA packets in the link-state database (LSDB). After LSDBs are synced between the routers, OSPF uses the shortest path first (SPF) algorithm to calculate the best routes. (full version of the database)
Açıklaması şöyle.
Database description packets (also referred as DDPs) These packets are exchanged when an adjacency is being initialized. They describe the contents of the topological database. It does not include full LSAs but would include LSA headers in the link-state database of the sender..
3. Link State Request - LSR
Açıklaması şöyle.
After exchanging Database Description packets with a neighboring router, a router may find that parts of its topological database are out of date. The Link State Request packet is used to request the pieces of the neighbor's database that are more up to date. The sending of Link State Request packets is the last step in bringing up an adjacency What other have (DBDs) – What I have (LADB) = What I need to order (LSR)
4. Link-State Update - LSU
Açıklaması şöyle.
A packet that contains fully detailed LSAs, typically sent in response to an LSR message
Açıklaması şöyle.
LSUs are sent in two different ways:

- During adjacency db synch
 -After adjacency is formed, if information about the link changes.
Açıklaması şöyle.
"A Link State Update packet may contain several distinct LSAs, and floods each LSA one hop further from its point of origination"
5. Link-State Acknowledgment - LSAck
Açıklaması şöyle.
Sent to confirm receipt of an LSU message



Hiç yorum yok:

Yorum Gönder