Configuring OSPF Authentication | Kickoff

Configuring OSPF Authentication

16 Mar

Configuring OSPF Authentication
Open Shortest Path First (OSPF) supports two forms of authentication: plain text and MD5. Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication. To configure plain text authentication of OSPF packets, follow these steps:

1.In interface configuration mode, use the ip ospf authentication−key <key> command. The key that is specified is the plain text password that will be used for authentication.

2.Enter OSPF configuration mode using the router ospf <process id> command. Then use the area <area−id> authentication command to configure plain text authentication of OSPF packets for an area.

Referring to Figure 1.4, we will configure Router A and Router B for plain text authentication of OSPF packets. Listing 1.9 and Listing 1.10 display each router’s configuration.

Figure 1.4: Router A and Router B configured for OSPF authentication.
Listing 1.9: Router A configured to authenticate OSPF packets using plain text authentication.

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf authentication−key security
clockrate 64000
router ospf 60
area 0 authentication
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing 1.10: Router B configured to authenticate OSPF packets using plain text authentication.

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf authentication−key security
router ospf 50
area 0 authentication
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

In Listing 1.9 and Listing 1.10, plain text authentication is configured to authenticate updates across area 0. By issuing the show ip ospf <process−id> command, you can determine if plain text authentication is properly configured for each area. Here is an example of the output for the show ip ospf command:

Router−B#show ip ospf 50
Routing Process “ospf 50″ with ID 10.10.13.1
……
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has simple password authentication
SPF algorithm executed 7 times

To configure MD5 authentication of OSPF packets, follow the steps outlined here:

1.From interface configuration mode, enable the authentication of OSPF packets using MD5 with the following command:

ip ospf message−digest−key <key−id> md5 <key>

The value of the key−id allows passwords to be changed without having to disable authentication.

2.Enter OSPF configuration mode using the router ospf <process id> command. Then configure MD5 authentication of OSPF packets for an area using this command:

area <area−id> authentication message−digest

This time, Routers A and B will be configured to authenticate packets across the backbone using the MD5 version of authentication. Listing 1.11 shows the configuration for Router A, and Listing 1.12 shows Router B’s configuration.

Listing 1.11: Router A configured for MD5 authentication.

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 miller
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing 1.12: Router B configured for MD5 authentication.
interface Loopback0
ip address 10.10.12.1 255.255.255.0

!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 miller
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

When you use the ip ospf message−digest−key command, the key value allows the password to be changed without having to disable authentication.

Note For OSPF, authentication passwords do not have to be the same throughout the area, but the key id value and the password must be the same between neighbors.

Using the show ip ospf <process−id> command again, you can see that it now states that MD5 authentication is being used across area 0:

Router−A#sh ip ospf 60
Routing Process “ospf 60″ with ID 10.10.11.1
……
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has message digest authentication
SPF algorithm executed 4 times

As noted earlier, the key id value and the passwords must be the same between neighbors. If you change the key id value to a number other than 15 on Router A, authentication should not take place and OSPF should get mad. Here is the changed configuration:

interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 30 md5 miller
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Notice that it has been changed to a value of 30. The following lines show what OSPF has to say about this:

Router−A#debug ip ospf events
OSPF events debugging is on
Router−A#
00:03:58: OSPF: Send with youngest Key 30

00:04:04: OSPF: Rcv pkt from 192.168.10.2, Ethernet0/0 : Mismatch Authentication Key − No message digest key 15 on Interface

OSPF is obviously not happy. If you change the key value back, everything should again be all right. As mentioned earlier, the key id value allows passwords to be changed without having to disable authentication. Listing 1.13 and Listing 1.14 display the configuration of Router A and Router B with multiple keys and passwords configured.

Listing 1.13: Router A configured with multiple keys and passwords.

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 miller
ip ospf message−digest−key 20 md5 ampaq
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing 1.14: Router B configured with multiple keys and passwords.

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 miller
ip ospf message−digest−key 20 md5 ampaq
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

As a result of this configuration, Routers A and B will send duplicate copies of each OSPF packet out of their serial interfaces; one will be authenticated using key number 15, and the other will be authenticated using key number 20. After the routers each receive from each other OSPF packets authenticated with key 20, they will stop sending packets with the key number 15 and use only key number 20. At this point, you can delete key number 15, thus allowing you to change passwords without disabling authentication.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.