Configuring Ospf Neighbors; Configuring Ospf Authentication - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring OSPF Neighbors

Configuring OSPF Authentication

Copyright © 2010, Juniper Networks, Inc.
or usage affects the cost of using such a connection. When traversing a demand circuit,
the security device limits routing protocol traffic to changes in network topology, and
suppresses sending OSPF hello packets and periodic refreshment of LSA flooding.
To configure an interface as a demand circuit:
The interface link type must be point-to-point or serial; you cannot configure a
point-to-multipoint interface as a demand circuit.
You must configure both ends of the tunnel as demand circuits.
Two routers with interfaces on the same subnet are considered neighbors. Routers use
the hello protocol to establish and maintain these neighbor relationships. When two
routers establish bidirectional communication, they are said to have established an
adjacency. If two routers do not establish an adjacency, they cannot exchange routing
information. By default, the OSPF routing instance on the virtual router forms adjacencies
with all OSPF neighbors communicating on an OSPF-enabled interface.
You can configure the following settings for neighbors on the interface:
Neighbor Dead Interface—Enter the number of seconds that elapses with no response
from an OSPF neighbor before OSPF determines the neighbor is not running. By default,
OSPF determines a neighbor is "dead" after 40 seconds.
Add/Edit/Delete Neighbor (Ethernet Interface Only)—To limit the devices on an
interface that can form adjacencies with the OSPF routing instance, define the subnets
that contain eligible OSPF neighbors. Only hosts or routers that reside in the specified
subnets can form adjacencies with the OSPF routing instance.
NOTE: All OSPF routers in an area must use the same hello, dead, and
retransmit interval values before they can form adjacencies.
Because LSAs are unencrypted, most protocol analyzers can decapsulate OSPF packets.
Authenticating OSPF neighbors using MD5 authentication or simple password is the best
way to fend off these types of attacks.
When authentication is enabled, the device discards all unauthenticated OSPF packets
received on the interface. By default, authentication is disabled.
To enable authentication, select one of the following authentication methods:
Clear Text Authentication—To use a simple password for authentication, select this
option and enter the password.
NOTE: All passwords handled by NSM are case-sensitive.
Chapter 10: Routing
319