I went a bit fast when I posted this write-up: http://mellowd.co.uk/ccie/?p=1369

I think it’s better to have a longer discussion about how authentication OSPFv3 SHOULD be set up to begin with, then show how it doesn’t work without a security license.

Let’s begin with regular IPv4. I’ve got 2 1841′s running and this is the config. This config is IDENTICAL whether you’re using a base license or security license, as the authentication is handled by OSPF’s internal authentication.
Router1

interface FastEthernet0/0
 ip address 10.0.0.1 255.0.0.0
 duplex auto
 speed auto
!
router ospf 1
 router-id 10.0.0.1
 log-adjacency-changes
 network 10.0.0.1 0.0.0.0 area 0

Router2

interface FastEthernet0/0
 ip address 10.0.0.2 255.0.0.0
 duplex auto
 speed auto
!
router ospf 1
 router-id 10.0.0.2
 log-adjacency-changes
 network 10.0.0.2 0.0.0.0 area 0

They see each other?

1841test2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.1          1   FULL/BDR        00:00:38    10.0.0.1        FastEthernet0/0

Let’s authenticate. Again, you can do this on a base license.

interface FastEthernet0/0
 ip address 10.0.0.2 255.0.0.0
 ip ospf message-digest-key 1 md5 ipv4test
!
router ospf 1
 router-id 10.0.0.2
 area 0 authentication message-digest
 network 10.0.0.2 0.0.0.0 area 0
1841test2# sh ip ospf 1
 ! - removed
       Area has message digest authentication

Let’s now move to IPv6 and OSPFv3. This is a regular set up without authentication:

ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/1
 no ip address
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
!
ipv6 router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes

router2

ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/1
 no ip address
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
!
ipv6 router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
1841test1#sh ipv6 ospf neighbor

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
2.2.2.2           1   FULL/BDR        00:00:39    4               FastEthernet0/1

Let’s now add authentication. In order to do so we use the interface specific “ipv6 ospf authentication ipsec” command

interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F

We immediately see the following error as the other side has no authentication set up:

#:%IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= FF02::5, src_addr= FE80::6616:8DFF:FECB:C32B, prot= 89

Let’s fix it quick:

interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F

Comes straight up again:

#:%OSPFv3-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from LOADING to FULL, Loading Done

This is all great, until you realise that you can NOT set ipsec authentication without an expensive security license!
This is a router with a security license:

1841test1(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  authentication       Enable authentication
  cost                 Interface cost
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  mtu-ignore           Ignores the MTU in DBD packets
  neighbor             OSPF neighbor
  network              Network type
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  transmit-delay       Link state transmit delay

This is a 1941 with a base license:

1941test(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  cost                 Route cost of this interface
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  mtu-ignore           Ignores the MTU in DBD packets
  network              Network type
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
Tagged with:  

3560 QoS – Why am I not seeing statistics?

On February 26, 2011, in CCIE, by Darren

I’ve been practising my Catalyst 3560 QoS a lot recently. Not only is it a major topic on the CCIE exam, I also happens to use 3560′s daily in my workplace.

QoS on the 3560 is a completely different beast than on a regular IOS router. This is probably why it’s ‘difficult’ as it’s customised towards a single platform.

There are a couple of things I’m not happy about. One is that my policy-maps don’t show exactly what’s going on. I’ll give you an example.

This is my topology:
3560lab 3560 QoS   Why am I not seeing statistics?
Note that as I’m on my laptop which doesn’t have Visio, I’ve used Gliffy’s online drawing app to create this image

The goal here is that I want to mark traffic coming from Laptop2 (fa0/1) as CS1 and Laptop3 (fa0/8) as CS4. This is the simple configuration I put together:

access-list 100 permit ip any any

class-map match-all INT1ANY
 match access-group 100
class-map match-all INT8ANY
 match access-group 100
!
!
policy-map MARK1
 class INT1ANY
  set dscp cs1
policy-map MARK8
 class INT8ANY
  set dscp cs4
!
!
interface FastEthernet0/1
 load-interval 30
 service-policy input MARK1
!
interface FastEthernet0/8
 load-interval 30
 service-policy input MARK8

Right, let’s generate some traffic. I’m going to use iperf to send loads of traffic from laptop2.

I now want to see what’s happening on fa0/1. It should be matching everything and remarking them to CS1, but I see nothing!

3560Test#sh policy-map int fa0/1
 FastEthernet0/1

  Service-policy input: MARK1

    Class-map: INT1ANY (match-all)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: access-group 100

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
        0 packets, 0 bytes
        30 second rate 0 bps

Zilch, nada, nothing!

What about fa0/8?

3560Test#sh policy-map int fa0/8
 FastEthernet0/8

  Service-policy input: MARK8

    Class-map: INT8ANY (match-all)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: access-group 100

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
        0 packets, 0 bytes
        30 second rate 0 bps

Again, the service policy says we are not matching or doing anything. But is this really true? Let’s fire up wireshark on Laptop1 and see the marking as they come in.
This is the output for traffic coming from Laptop2 (check the highlighted section):
3560qoscs1 3560 QoS   Why am I not seeing statistics?
This is the output for traffic coming from Laptop3:
3560qoscs4 3560 QoS   Why am I not seeing statistics?

The wireshark capture proves that the 3560 IS classifying and marking traffic, but the show service policy commands above are showing nothing.

Anyone have any ideas?

Tagged with:  

While going through the CCIE 4th edition cert guide, I’ve come across something that is potentially a very big problem. Currently if you want to authenticate OSPF and EIGRP neighbours you can do so via plain-text or MD5 passwords. With IPv6 you need to use OSPFv3 and EIGRP. Here’s where it get’s bad. OSPFv3 does NOT give you the option to use authentication in the OSPFv3 configuration section. Rather it relies on IPv6′s inherent authentication properties.

However!

In order to use IPv6′s authentication properties, you NEED a crypto license on your device. This means you can no longer authenticate OSPF for IPv6 with a base license IOS. EIGRP on the other hand still allows you to authenticate with MD5 and plain-text. Let’s put this to the test.

I’ve got a vanilla Cisco 1941 here with the base license.

1941test(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  cost                 Route cost of this interface
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  mtu-ignore           Ignores the MTU in DBD packets
  network              Network type
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  transmit-delay       Link state transmit delay

What I’m looking for is the ipv6 ospf authentication ipsec command. As I have no security license, it’s not there.

1941test(config-router)#ipv6 router ospf 1
1941test(config-rtr)#area 0 ?
  default-cost  Set the summary default-cost of a NSSA/stub area
  nssa          Specify a NSSA area
  range         Summarize routes matching address/mask (border routers only)
  stub          Specify a stub area

No area 0 authentication option!

Interestingly enough, EIGRP for IPv6 still uses EIGRP’s internal authentication algorithm.

interface GigabitEthernet0/1
 ip address 10.0.4.254 255.255.255.252
 ipv6 address 2001:D08::C671:FEFF:FE65:55A1/64
 ipv6 eigrp 1
 ipv6 authentication mode eigrp 1 md5
 ipv6 authentication key-chain eigrp 1 chain
!
key chain chain
 key 1
  key-string 7 010703174F

The problem with authentication being left to IPv6 itself, is shown in this very example. As far as I can see, unless you’re buying an expensive security license for each and every OSPF router, you can forget about authenticating your OSPF adjacencies!

I hope I’m mistaken. If anyone has a way of getting it to work, I’d like to know.

Updated post here: http://mellowd.co.uk/ccie/?p=1421

Tagged with:  

Know your IPv4 and IPv6 address ranges

On February 15, 2011, in Fundamentals, Misc, by Darren

We’re busy implementing IPv6 on our BGP edges and eventually in our core at the moment. It’s pretty easy in the IPv4 world to work out what addresses are what, but there are loads more in IPv6.

I’ve decided to list the current assigned and reserved IPv4 and IPv6 address spaces here. Note that this list is still a work in progress, especially on the IPv6 side of things.

Let’s start with IPv4. Most of you should know most of the reserved ranges, but there may be a few you didn’t know about.

IPv4

Reserved:
0.0.0.0/8 – RFC1700
127.0.0.0/8 – Loopback

Internal private ranges (RFC1918)
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Documentation (RFC5737)
192.0.2.0/24
198.51.100.0/24
203.0.113.0/24

Multicast (RFC5771, RFC6034 & RFC2365)
224.0.0.0/8 – 239.0.0.0/8

‘Future use’ – will never be used
240.0.0.0/8 – 255.0.0.0/8

255.255.255.255 is reserved for limited broadcast (RFC919 and RFC922)

IPv6

Now let’s check IPv6. The current Global Unique (aka public IP) range is 2000::/3 – that means any address from 2000:0000:0000:0000:0000:0000:0000:0000 – 3FFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF is a global unique unicast address – However, RFC3849 deems it fit to assign 2001:0DB8::/32 as non-routable to be used for documentation. Why they couldn’t use a range outside 2000::/3 is beyond me.

The following are all reserved by the IEFT (RFC4291, RFC4048 and RFC3879)
0100::/8
0200::/7
0400::/6
0800::/5
1000::/4
4000::/3
6000::/3
8000::/3
A000::/3
C000::/3
E000::/4
F000::/5
F800::/6
FE00::/9
FEC0::/10

Unique Local Unicast addresses (RFC4193)
FC00::/7

Link Local Unicast addresses (RFC4291)
FE80::/10

Multicast addresses (RFC4291)
FF00::/8

Loopback address
::1

Default route
::/0

6to4 tunnels
2002::/16

Teredo (RFC4380)
2001::/32

Unspecified
::

I’m sure I may have missed some out, so please let me know if I have

Tagged with:  

Capture packets directly inside dynamips

On February 1, 2011, in Dynamips, Linux, Misc, by Darren

I had no idea that dynagen could actually do this, but it’s pretty damn awesome. Dynagen/Dynamips can output any interface’s traffic directly to a .cap file ready to be read in tcpdump or Wireshark.

How do we do this?

Let’s take a simple topology. R2 and R4 are running OSPF with each other, directly connected via their Fa0/1 interfaces. I want to capture packets going in and out of R2′s interface.

Dynamips/Dynagen has started:

=> list
Name       Type       State      Server          Console
R2         7200       running    localhost:7200  2002
R4         7200       running    localhost:7200  2004

You start capturing like so:

=> capture R2 fa0/1 /tmp/R2.cap

Stop the capture:

=> no capture R2 fa0/1

We now have a file named R2.cap in the /tmp folder. We can open it either in tcpdump or Wireshark:

darreno@Zenoss:/tmp$ sudo tcpdump -r R2.cap
reading from file R2.cap, link-type EN10MB (Ethernet)
16:37:26.959354 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56
16:37:28.930017 CDPv2, ttl: 180s, Device-ID 'R2', length 318
16:37:32.827991
16:37:36.959745 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56
16:37:42.855127
16:37:46.930856 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56
16:37:52.846687
16:37:56.940269 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56
16:38:02.826550
16:38:06.943788 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56
16:38:12.836321
16:38:16.947188 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56
16:38:22.835339
16:38:26.932277 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56
16:38:28.940528 CDPv2, ttl: 180s, Device-ID 'R2', length 318

wiresharkdynamips Capture packets directly inside dynamips

Very handy indeed!

Tagged with:  

© 2009-2014 Darren O'Connor All Rights Reserved