A variety of risks exist when deploying a routing protocol in a network. It’s very much true for OSPF. It’s because, OSPF does not have any built in authentication mechanism for peers. You need to configure OSPF Authentication, to make your neighbor establishment secure.

Today we will configure OSPF authentication for our demo network. So, let’s start.

Before going to configuration, please keep in mind, according different documents and RFC. We have 4 authentication methods in OSPF. These are –

  • Null
  • A plain text password
  • MD5 key
  • OSPFv2 HMAC-SHA Cryptographic Authentication

We will check each on them and implement on our network. Below are the IP and connection details for this lab.

 

OSPF Authentication

 

Now, take a look on current configuration of each router.

Router : R1

router ospf 1
router-id 1.1.1.1

interface GigabitEthernet0/0
ip address 10.1.1.1 255.255.255.252
ip ospf 1 area 0

Router : R2

router ospf 2
router-id 2.2.2.2

interface GigabitEthernet0/0
ip address 10.1.1.2 255.255.255.252
ip ospf 2 area 0

If you need more instruction to configure OSPF, please read How to configure OSPF in Cisco Router.

Now move to the main part –

OSPF Authentication Method #1 : Null

This is the default configuration where routers do not exchange keys. Here we just need to enable OSPF and configure network for it. Please check above mentioned article for that.

Method #2 : A plain text password

Router – R1

R1(config)#interface GigabitEthernet0/0
R1(config-if)# ip address 10.1.1.1 255.255.255.252
R1(config-if)# ip ospf authentication
R1(config-if)# ip ospf authentication-key cisco
R1(config-if)# ip ospf 1 area 0
R1(config-if)#exit

Router – R2

R2(config)#interface GigabitEthernet0/0
R2(config-if)# ip address 10.1.1.2 255.255.255.252
R2(config-if)# ip ospf authentication
R2(config-if)# ip ospf authentication-key cisco
R2(config-if)# ip ospf 2 area 0
R2(config-if)#exi

Verify

R1#sh ip ospf interface
GigabitEthernet0/0 is up, line protocol is up
Internet Address 10.1.1.1/30, Area 0, Attached via Interface Enable
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 10.1.1.2
Backup Designated router (ID) 1.1.1.1, Interface address 10.1.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 1 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

Method #3 : MD5 key

Router – R1

R1(config)#
R1(config)#interface GigabitEthernet0/0
R1(config-if)# ip address 10.1.1.1 255.255.255.252
R1(config-if)# ip ospf 1 area 0
R1(config-if)# ip ospf authentication message-digest
R1(config-if)# ip ospf message-digest-key 1 md5 letsconfig
R1(config-if)#exit
R1(config)#

Router – R2

R2(config)#interface GigabitEthernet0/0
R2(config-if)# ip address 10.1.1.2 255.255.255.252
R2(config-if)# ip ospf 2 area 0
R2(config-if)# ip ospf authentication message-digest
R2(config-if)# ip ospf message-digest-key 1 md5 letsconfig
R2(config-if)#exit
R2(config)#

Here, “letsconfig” is the key for authentication. To verify, use “sh ip ospf interface” command.

Method #4 : OSPFv2 HMAC-SHA Cryptographic Authentication

Router – R1

First we need to configure Key chain.

R1(config)#key chain 1
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string letsconfig
R1(config-keychain-key)#cryptographic-algorithm hmac-sha-512
R1(config-keychain-key)#exit
R1(config-keychain)#exit
R1(config)#

Here i named key chain as 1. It’s locally significant. Meaning, other peer does not need to have same name. We just need to match the key-string, which is “letsconfig” in this example.

R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#exit
R1(config)#

R1(config)#int gig0/0
R1(config-if)#ip add 10.1.1.1 255.255.255.252
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication key-chain 1
R1(config-router)#exit
R1(config)#

R2

Here is the key chain for R2.

R2(config)#key chain 1
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string letsconfig
R2(config-keychain-key)#cryptographic-algorithm hmac-sha-512
R2(config-keychain-key)#exit
R2(config-keychain)#exit
R2(config)#
R2(config)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#exit
R2(config)#

R2(config)#int gig0/0
R2(config-if)#ip add 10.1.1.2 255.255.255.252
R2(config-if)#ip ospf 1 area 0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication key-chain 1

If we configure it correctly, within few moments we will see a similar message like below-

*Jul 31 19:17:56.466: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on GigabitEthernet0/0 from LOADING to FULL, Loadi                                                          ng Doned

Now, lets verify our HMAC-SHA cryptographic authentication.

R1# sh ip ospf interface
GigabitEthernet0/0 is up, line protocol is up
  Internet Address 10.1.1.1/30, Area 0, Attached via Interface Enable
  Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Enabled by interface config, including secondary ip addresses
  Transmit Delay is 1 sec, State BDR, Priority 1
  Designated Router (ID) 2.2.2.2, Interface address 10.1.1.2
  Backup Designated router (ID) 1.1.1.1, Interface address 10.1.1.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:00
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 1 msec, maximum is 1 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 2.2.2.2  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain 1
R1#

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 7+ years of experience in multi-vendor environment. In my current company, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

Leave a Comment

Your email address will not be published. Required fields are marked *