Sunday, 27 October 2019

OSPF Authentication Types, Configuration & Verification

OSPF Authentication Types, Configuration & Verification

This article is relate to OSPF Authentication Types, Configuration & Verification. OSPF supports three types of authentication: null, simple password authentication and MD5 authentication. OSPF MD5 authentication can be configured globally or by interface. OSPF authentication is for security purpose. There are different types of OSPF authentication.

OSPF Authentication Types 

When neighbor authentication is configured on a router, the router authenticates the origin of each routing update package it receives. This is achieved by exchanging an authentication key (sometimes called " password ") known to both the router that sends the packet and the one that receives it.
To exchange routing update information securely, OSPF authentication must be enabled. OSPF authentication can be none (null), simple or synthesis of message 5 (MD5).
OSPF supports three types of authentication:

  • Null : This is the default method and means that no authentication is used for OSPF.
  • Simple password authentication : it is also known as "authentication with unencrypted text", because the password in the update is sent as unencrypted text over the network.
  • MD5 authentication (MD5 authentication) : This is the most secure and recommended authentication method. MD5 authentication provides greater security, since the password is never exchanged between peers. Instead, it is calculated using the MD5 algorithm. The coincidence of the results authenticates the issuer.


OSPF MD5 Authentication

The following example shows how MD5 authentication is used to authenticate two neighboring OSPF routers.
In Image 1, R1 combines the routing message with the previously shared secret key and calculates the signature with the MD5 algorithm. The signature is also known as " hash value ".

In Image 2, R1 adds the signature to the routing message and sends it to R2.

MD5 does not encrypt the message; Therefore, the content can be read easily.
In Image 3, R2 opens the package, combines the routing message with the previously shared secret key and calculates the signature with the MD5 algorithm.


  • If the signatures match, R2 accepts the routing update.
  • If the signatures do not match, R2 discards the update.

OSPFv3 (OSPF for IPv6) does not include any authentication capabilities of its own . Instead, it relies entirely on IPSec to protect communications between neighbors with the ipv6 ospf authentication ipsec spi command from the interface configuration mode. This is beneficial, as it simplifies the OSPFv3 protocol and standardizes its authentication mechanism.

OSPF MD5 Authentication Configuration

OSPF supports authentication of routing protocols using MD5. MD5 authentication can be enabled globally for all interfaces or for each desired interface.

To enable OSPF MD5 authentication globally, configure the following:
Interface configuration mode command:
ip ospf message-digest-key key md5 password
Router configuration mode command:
area area-id authentication message-digest
This method imposes authentication on all interfaces with OSPF enabled. If an interface is not configured with the ip ospf message-digest-key command , you cannot establish adjacencies with other OSPF neighbors.
To provide more flexibility, interface authentication is now supported. To enable MD5 authentication per interface, configure the following:
Interface configuration mode command:
ip ospf message-digest-key key md5 password
Interface configuration mode command:
ip ospf authentication message-digest
The global OSPF MD5 authentication methods and per interface can be used on the same router. However, the configuration per interface replaces the global configuration. MD5 authentication passwords do not have to be the same in an entire area; however, they have to be the same among neighbors .
For example, suppose that all routers in the illustration converged using OSPF and that routing works correctly. OSPF authentication will be implemented on all routers.

OSPF MD5 Authentication example

In the example in Image 4, we show how to configure R1 to enable OSPF MD5 authentication on all interfaces.

Note that informational messages indicate that the adjacency of OSPF neighbors with R2 and R3 changed to the Down state (inactive), because R2 and R3 have not yet been configured to support MD5 authentication.
As an alternative to the global enable of MD5 authentication, the example in Image 5 shows how to configure R1 to enable OSPF MD5 authentication per interface. Note that, also in this case, the adjacencies of OSPF neighbors changed to the Down state.

Next, OSPF MD5 authentication is enabled globally on R2 and per interface on R3.
R2 (config) # router ospf 10
R2 (config-router) # area 0 authentication message-digest
R2 (config-router) # interface GigabitEthernet 0/0
R2 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R2 (config-if) # interface Serial 0/0/0
R2 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R2 (config-if) # interface Serial 0/0/1
R2 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R2 (config-if) # end
R2 (config) # 
* Apr 8 10: 26: 46.783:% OSPF-5-ADJCHG: Process 10, Nbr 1.1.1.1 on Serial0 / 0/0 from LOADING to FULL, Loading Done 
R2 (config) # 
* Apr 8 10: 27: 16,435:% OSPF-5-ADJCHG: Process 10, Nbr 3.3.3.3 on Serial0 / 0/1 from FULL to DOWN, Neighbor Down: Dead timer expired 
R2 #
Informational messages also appear here. The first message is because the neighbor adjacency with R1 was re-established. However, the adjacency with R3 changed to the Down state, because R3 has not yet been configured.
R3 (config) # interface GigabitEthernet 0/0
R3 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R3 (config-if) # ip ospf authentication message-digest
R3 (config-if) # interface Serial 0/0/0
R3 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R3 (config-if) # ip ospf authentication message-digest
R3 (config-if) # interface Serial 0/0/1
R3 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R3 (config-if) # ip ospf authentication message-digest
R3 (config-if) # end
R3 # 
* Apr 8 10: 29: 21.859:% OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on Serial0 / 0/1 from LOADING to FULL, Loading Done 
R3 (config) # 
* Apr 8 10: 29: 27.315:% OSPF-5-ADJCHG: Process 10, Nbr 1.1.1.1 on Serial0 / 0/0 from LOADING to FULL, Loading Done 
R3 #
After configuring R3, all neighborhood adjacencies were re-established.

Verification of the OSPF MD5 Authentication

To verify that OSPF MD5 authentication is enabled, use the show ip ospf interface command in privileged EXEC mode. By verifying that the routing table is complete, it can be confirmed that the authentication was successful.
In Image, the verification of OSPF MD5 authentication is shown on serial interface 0/0/0 on R1.

In following Image, it is confirmed that the authentication was successful.

No comments:

Post a Comment