Configuring OSPF Authentication

Open Shortest Path First (OSPF) supports two forms of authentication: plain text and MD5. Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication. To configure plain text authentication of OSPF packets, follow these steps:

1.In interface configuration mode, use the ip ospf authentication−key <key> command. The key that is specified is the plain text password that will be used for authentication.

2.Enter OSPF configuration mode using the router ospf <process id> command. Then use the area <area−id> authentication command to configure plain text authentication of OSPF packets for an area.

Referring to Figure 1.4, we will configure Router A and Router B for plain text authentication of OSPF packets. Listing 1.9 and Listing 1.10 display each router's configuration.

Figure 1.4: Router A and Router B configured for OSPF authentication.

Listing 1.9: Router A configured to authenticate OSPF packets using plain text authentication.

interface Loopback0

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/0

ip address 10.10.11.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.1 255.255.255.252 ip ospf authentication−key security clockrate 64000

router ospf 60

area 0 authentication

network 10.10.10.0 0.0.0.255 area 10 network 10.10.11.0 0.0.0.255 area 11 network 192.168.10.0 0.0.0.255 area 0

Listing 1.10: Router B configured to authenticate OSPF packets using plain text authentication.

interface Loopback0

ip address 10.10.12.1 255.255.255.0

!

interface Ethernet0/0

ip address 10.10.13.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.2 255.255.255.252 ip ospf authentication−key security router ospf 50

area 0 authentication

network 10.10.12.0 0.0.0.255 area 12 network 10.10.13.0 0.0.0.255 area 13 network 192.168.10.0 0.0.0.255 area 0

31

In Listing 1.9 and Listing 1.10, plain text authentication is configured to authenticate updates across area 0. By issuing the show ip ospf <process−id> command, you can determine if plain text authentication is properly configured for each area. Here is an example of the output for the show ip ospf command:

Router−B#show ip ospf 50

Routing Process "ospf 50" with ID 10.10.13.1

......

Area BACKBONE(0)

Number of interfaces in this area is 1 Area has simple password authentication SPF algorithm executed 7 times

To configure MD5 authentication of OSPF packets, follow the steps outlined here:

1.From interface configuration mode, enable the authentication of OSPF packets using MD5 with the following command:

ip ospf message−digest−key <key−id> md5 <key>

The value of the key−id allows passwords to be changed without having to disable authentication.

2.Enter OSPF configuration mode using the router ospf <process id> command. Then configure MD5 authentication of OSPF packets for an area using this command:

area <area−id> authentication message−digest

This time, Routers A and B will be configured to authenticate packets across the backbone using the MD5 version of authentication. Listing 1.11 shows the configuration for Router A, and Listing 1.12 shows Router B's configuration.

Listing 1.11: Router A configured for MD5 authentication.

interface Loopback0

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/0

ip address 10.10.11.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.1 255.255.255.252 ip ospf message−digest−key 15 md5 miller clockrate 64000

router ospf 60

area 0 authentication message−digest network 10.10.10.0 0.0.0.255 area 10 network 10.10.11.0 0.0.0.255 area 11 network 192.168.10.0 0.0.0.255 area 0

Listing 1.12: Router B configured for MD5 authentication.

interface Loopback0

ip address 10.10.12.1 255.255.255.0

32

!

interface Ethernet0/0

ip address 10.10.13.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.2 255.255.255.252 ip ospf message−digest−key 15 md5 miller

router ospf 50

area 0 authentication message−digest network 10.10.12.0 0.0.0.255 area 12 network 10.10.13.0 0.0.0.255 area 13 network 192.168.10.0 0.0.0.255 area 0

When you use the ip ospf message−digest−key command, the key value allows the password to be changed without having to disable authentication.

Note For OSPF, authentication passwords do not have to be the same throughout the area, but the key id value and the password must be the same between neighbors.

Using the show ip ospf <process−id> command again, you can see that it now states that MD5 authentication is being used across area 0:

Router−A#sh ip ospf 60

Routing Process "ospf 60" with ID 10.10.11.1

......

Area BACKBONE(0)

Number of interfaces in this area is 1 Area has message digest authentication SPF algorithm executed 4 times

As noted earlier, the key id value and the passwords must be the same between neighbors. If you change the key id value to a number other than 15 on Router A, authentication should not take place and OSPF should get mad. Here is the changed configuration:

interface Serial0/0

ip address 192.168.10.1 255.255.255.252 ip ospf message−digest−key 30 md5 miller clockrate 64000

router ospf 60

area 0 authentication message−digest network 10.10.10.0 0.0.0.255 area 10 network 10.10.11.0 0.0.0.255 area 11 network 192.168.10.0 0.0.0.255 area 0

Notice that it has been changed to a value of 30. The following lines show what OSPF has to say about this:

Router−A#debug ip ospf events OSPF events debugging is on Router−A#

00:03:58: OSPF: Send with youngest Key 30

33

00:04:04: OSPF: Rcv pkt from 192.168.10.2, Ethernet0/0 : Mismatch Authentication Key − No message digest key 15 on Interface

OSPF is obviously not happy. If you change the key value back, everything should again be all right. As mentioned earlier, the key id value allows passwords to be changed without having to disable authentication. Listing 1.13 and Listing 1.14 display the configuration of Router A and Router B with multiple keys and passwords configured.

Listing 1.13: Router A configured with multiple keys and passwords.

interface Loopback0

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/0

ip address 10.10.11.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.1 255.255.255.252 ip ospf message−digest−key 15 md5 miller ip ospf message−digest−key 20 md5 ampaq clockrate 64000

router ospf 60

area 0 authentication message−digest network 10.10.10.0 0.0.0.255 area 10 network 10.10.11.0 0.0.0.255 area 11 network 192.168.10.0 0.0.0.255 area 0

Listing 1.14: Router B configured with multiple keys and passwords.

interface Loopback0

ip address 10.10.12.1 255.255.255.0

!

interface Ethernet0/0

ip address 10.10.13.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.2 255.255.255.252 ip ospf message−digest−key 15 md5 miller ip ospf message−digest−key 20 md5 ampaq

router ospf 50

area 0 authentication message−digest network 10.10.12.0 0.0.0.255 area 12 network 10.10.13.0 0.0.0.255 area 13 network 192.168.10.0 0.0.0.255 area 0

As a result of this configuration, Routers A and B will send duplicate copies of each OSPF packet out of their serial interfaces; one will be authenticated using key number 15, and the other will be authenticated using key number 20. After the routers each receive from each other OSPF packets authenticated with key 20, they will stop sending packets with the key number 15 and use only key number 20. At this point, you can delete key number 15, thus allowing you to change passwords without disabling authentication.

34