OSPF Passive Interface Open Shortest Path First

Practice this topic in the router emulator When an interface is captured in OSPF's network command, OSPF will advertise the connected network throughout its domain, and it will also try to form neighbour relationships on that interface too. On the surface this appears to be perfectly acceptable behaviour, but it does have security implications.

The problem

Consider what would happen in the event that an attacker were to gain access to a link that was connected to an OSPF enabled interface. They could put their own router on there, and form a neighbour relationship with your router. At this point, they could begin to inject routes with arbitrarily small costs into your OSPF domain to forward traffic to their router to sniff, and/or begin tearing down chunks of your network by disrupting the route taken by packets.

This is somewhat inconvenient, but thankfully there are a few methods to mitigate the threat, one of which is passive interfaces.

Passive Interfaces

Passive interfaces allow the connected network of an interface to be advertised throughout the OSPF domain, but stop the sending of hello packets. If no hello packets are sent out of an interface, then an adjacency cannot be formed. With one simple command applied in OSPF configuration mode, the threat described above is mitigated:

Router(config-router)#passive-interface <interface>

And of course, the command can be negated by prefixing it with no.

Default Passive Interface

The good news doesn't stop there. Cisco provide a command that allows you to enable the passive-interface command on all interfaces by default, handy if you have a router with many interfaces. Once again, this is applied from OSPF configuration mode, and once set you use no passive-interface <interface> commands to enable hellos on links over which you would like OSPF neighbour relationships to form.

Router(config-router)#passive-interface default
Router(config-router)#no passive-interface <interface>

 Further reading

Comments