OSPF Authentication


OSPF supports two types of Authentication:
 1. Plain Text (64-bit Password)

    (config-if)#ip ospf authentication-key ^&*(^*&&%
   
 2. MD5 (ID + 128-bit Password):

    (config-if)#ip ospf message-digest-key 1 MD5 ^&*^&^*


You can enable the OSPF Authentication:

 1. Globally on the Router, in the "router ospf" configuration, so it's enabled on all the Interfaces
   
     (config-router)#area 0 authentication [message-digest]

*If you enable the Authentication globaly on the routing process configuration, have in mind that you MUST configure the Authentication Key on ALL the OSPF Interfaces. If you need to DISABLE the authentication on some of the interfaces, use the following Interface command:
    (config-if)#ip ospf authentication null


**When you've got the Authentication enabled only for one of the Areas within the OSPF process - it will BREAK all the Virtual Links with the non-authentication Areas, and you will get the following message:
*May  1 14:58:46.971: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on OSPF_VL1 from FULL to DOWN, Neighbor Down: Interface down or detached
It will also not receive any Intra-area routes (marked as O IA in the Routing Table)


 2. Directly on the Interface

    (config-if)#ip ospf authentication [message-digest]
   
*When you configure per-interface Authentication, the other routers NO NOT NEED TO HAVE THE AUTHENTICATION ENABLED!

Check what type of OSPF Authentication has been configured and what Key/Password is applied:

Cisqueros_R1#show ip ospf interface s1/0.12

Serial1/0.12 is up, line protocol is up 
  Internet Address 10.1.12.1/24, Area 0 
  Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           64        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:01
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 2.2.2.2
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled <--- AUTHENTICATION TYPE
    Youngest key id is 1 <--- THE APPLIED AUTHENTICATION KEY

If you need to seemlessly change the authentication key, here is how it's done:
 1. Add the MD5 authentication Key 2
 2. Make sure that both keys are configured using the command from above. Note that these lines will be added to the bottom of the output:

   Message digest authentication enabled
    Youngest key id is 2
    Rollover in progress, 1 neighbor(s) using the old key(s):
      key id 1

 3. Configure the Key 2 on the Neighbor routers, and do the same command as above. You will notice that the output changes to:

   Message digest authentication enabled
    Youngest key id is 2

4. It is now safe to remove the Key 1. KEY NUMBERS HAVE NOTHING TO DO WITH THE ORDER!!! This means that next time you need to change Keys, you can use Key 1 again with a different Password.



No comments:

Post a Comment

Most Popular Posts