OSPF Authentication

Written on by admin on. Posted in OSPF

By the use of OSPF authentication you can prevent unwanted routing updates from being received and processed by the routers. If authentication is configured on a router, it will authenticate the source of each OSPF packet by using a password, which is known by both routers. 

 By default OSPF does not use authentication. There are two authentication methods used:

  • Plain text authentication;
  • MD5 authentication.

In this lab we will examine both methods on Cisco routers. Below you see scenario that we’ll use. We have HQ router and BRANCH router and will try to authenticate ospf packets between them.

OSPF authentication

Next you see configuration without authentication yet:

HQ

HQ(config)#interface fastEthernet 0/0
HQ(config-if)#ip address 192.168.0.1 255.255.255.0
HQ(config-if)#no shutdown

HQ(config)#router ospf 1
HQ(config-router)#network 192.168.0.0 0.0.0.255 area 0

BRANCH

BRANCH(config)#interface fastEthernet 0/0
BRANCH(config-if)#ip address 192.168.0.2 255.255.255.0
BRANCH(config-if)#no shutdown 

BRANCH(config)#router ospf 1
BRANCH(config-router)#network 192.168.0.0 0.0.0.255 area 0

Now let’s proceed to authentication

Plain Text Authentication

With plain text authentication the password will be added in OSPF header in clear text. To configure this follow next steps:
  1. Under interface that connects to neighbor you want to authenticate, add ip ospf authentication-key password command. Only first eight characters will be used in your password.
  2. Now, you have to specify which type of authentication will be used, in this case you must use ip ospf authentication command without any parameters.
    This command was introduced in in IOS 12.0 but old type of authentication (area authentication) is also supported.
HQ
HQ(config)#interface fastEthernet 0/0
HQ(config-if)#ip ospf authentication-key test
HQ(config-if)#ip ospf authentication
BRANCH
BRANCH(config)#interface fastEthernet 0/0
BRANCH(config-if)#ip ospf authentication-key test
BRANCH(config-if)#ip ospf authentication
And now verification on HQ
HQ#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.10.1         1   FULL/DR         00:00:39    192.168.0.2     FastEthernet0/0
HQ#
HQ#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up 
  Internet Address 192.168.0.1/24, Area 0 
  Process ID 1, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State BDR, Priority 1 
  Designated Router (ID) 10.0.10.1, Interface address 192.168.0.2
  Backup Designated router (ID) 10.0.0.1, Interface address 192.168.0.1
  Flush timer for old DR LSA due in 00:01:23
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:04
  Supports Link-local Signaling (LLS)
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 10.0.10.1  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled
HQ#

I’ve used “test” keyword as password and you can see from output that simple authentication is enabled. Also a wireshark capture is provided.

OSPF Plain text authentication capture

MD5 Authentication

When you use MD5 OSPF authentication, a key and a key id must be configured on routers. From this key and key id a hash is generated, wich is added to OSPF packet header. The procedure is similar to previous one but commands are different:
  1. Use ip ospf message-digest-key key-id md5 key under interafce where you want to configure authentication. Here key-id is an identifier from 1 to 255, and key is password that will be used. The password (key) must be up to 16 characters.
  2. Define which authentication method will be used with ip ospf authentication message-digest interface command
HQ
HQ(config)#interface fastEthernet 0/0
HQ(config-if)#ip ospf message-digest-key 1 md5 test
HQ(config-if)#ip ospf authentication message-digest
BRANCH
BRANCH(config)#interface fastEthernet 0/0
BRANCH(config-if)#ip ospf message-digest-key 1 md5 test
BRANCH(config-if)#ip ospf authentication message-digest

And verification:

HQ#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.10.1         1   FULL/DR         00:00:39    192.168.0.2     FastEthernet0/0
HQ#
HQ#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up 
  Internet Address 192.168.0.1/24, Area 0 
  Process ID 1, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State BDR, Priority 1 
  Designated Router (ID) 10.0.10.1, Interface address 192.168.0.2
  Backup Designated router (ID) 10.0.0.1, Interface address 192.168.0.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:00
  Supports Link-local Signaling (LLS)
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 10.0.10.1  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1

Now, a wireshark capture

OSPF MD5 authentication capture

If you want to change your keys, add a new key-id and a new password. When on both routers you have key-ids and password added, delete the old ones because routers send duplicate packets with different authentication keys used.
In this article we have examined OSPF authentication, a quite easy task. Method that should be used is of course MD5 authentication which is more secure that plain text authentication and a smooth migration to new keys can be implemented.
6031 views

Leave a comment


four × = 12