OSPF authentication

OSPF can be configured to authenticate every OSPF message. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a Denial-of-Service attack.

Two types of authentication can be used:
1.    clear text authentication – clear text passwords are used
2.    MD5 authentication – MD5 authentication is used. This type of authentication is more secure because the password doesn’t go in clear-text over the network.

NOTE
With OSPF authentication turned on, routers must pass the authentication process before becoming OSPF neighbors.

 

To configure clear text authentication, the following steps are required:

  1. configure the OSPF password on the interface by using the ip ospf authentication-key PASSWORD interface command
  2. configure the interface to use OSPF clear-text authentication by using the ip ospf authentication interface command

 

In the following example, we will configure OSPF clear-text authentication.

ospf authentication topology

Both routers are running OSPF. On R1, we need to enter the following commands:

ospf authentication configuration 1

The same commands have to be entered on R2:

ospf authentication configuration 2
To verify that clear-text authentication is indeed turned on, we can use the show ip ospf interface INTERFACE_NUMBER/INTERFACE_TYPE command on either router:

show ip ospf interface simple password

Configuring OSPF MD5 authentication is very similar to configuring clear-text authentication. Two commands are also used:

  1. First you need to configure the MD5 value on an interface by using the ip ospf message-digest-key 1 md5 VALUE interface command
  2. Next, you need to configure the interface to use MD5 authentication by using the ip ospf authentication message-digest interface command

 

Here is an example configuration on R1:

ospf authentication configuration md5

You can verify that R1 is using OSPF MD5 authentication by typing the show ip ospf INTERFACE/INTERFACE_TYPE command:

show ip ospf interface md5

NOTE
OSPF authentication type can also be enabled on an area basis, instead of configuring OSPF authentication type per interface basis. This is done by using the area AREA_ID authentication [message-digest] command under the OSPF configuration mode. If you omit the message-digest keyword, a clear-text authentication will be used for that area. All interfaces inside the area will use OSPF authentication.
upravnik