Several people commented on an earlier OSPF through Firewall-1 query that
it may be worthwhile to examine the underlying routing structure. I
concur; I'm curious about the original reason to firewall OSPF at all. As
a primarily routing person, I generally think it's a bad idea, inconsistent
with the architecture of OSPF.
There are several considerations here. First, OSPF differs from most
protocols one would firewall, as it uses no transport layer protocol. OSPF
packets run directly over IP (the protocol identifier is 86 or 89; I'm
feeling vertically dyslectic about that last digit). They will either be
multicast to 224.0.0.5 and 224.0.0.6, or unicast to specific OSPF speaking
routers.
OSPF is definitely intended as an interior routing protocol to be run under
common administration. Routers in the same area MUST see all updates from
all other routers in that area, or the topological databases/sequencing
gets out of synchronization and routing can collapse.
MD5 authentication for OSPF routing updates recently was standardized, and
is starting to appear in router implementations (e.g., Cisco 11.0). This
may be a better approach for security than trying to firewall, but I still
question putting OSPF at all on the outside. I believe it much more
appropriate, from a routing architecture standpoint, to treat the outside
as external to OSPF.
Howard
|
|
