A variety of risks exist when deploying a routing protocol in a network. It’s very much true for OSPF. It’s because, OSPF does not have any built in authentication mechanism for peers. You need to configure OSPF Authentication, to make your neighbor establishment secure.
Today we will configure OSPF authentication for our demo network. So, let’s start.
- How to configure OSPF in Cisco Router
- How to Configure OSPF Authentication (this article)
Before going to configuration, please keep in mind, according different documents and RFC. We have 4 authentication methods in OSPF. These are –
- Null
- A plain text password
- MD5 key
- OSPFv2 HMAC-SHA Cryptographic Authentication
We will check each on them and implement on our network. Below are the IP and connection details for this lab.
Now, take a look on current configuration of each router.
Router : R1
router ospf 1 router-id 1.1.1.1 interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.252 ip ospf 1 area 0
Router : R2
router ospf 2 router-id 2.2.2.2 interface GigabitEthernet0/0 ip address 10.1.1.2 255.255.255.252 ip ospf 2 area 0
If you need more instruction to configure OSPF, please read How to configure OSPF in Cisco Router.
Now move to the main part –
OSPF Authentication Method #1 : Null
This is the default configuration where routers do not exchange keys. Here we just need to enable OSPF and configure network for it. Please check above mentioned article for that.
Method #2 : A plain text password
Router – R1
R1(config)#interface GigabitEthernet0/0 R1(config-if)# ip address 10.1.1.1 255.255.255.252 R1(config-if)# ip ospf authentication R1(config-if)# ip ospf authentication-key cisco R1(config-if)# ip ospf 1 area 0 R1(config-if)#exit
Router – R2
R2(config)#interface GigabitEthernet0/0 R2(config-if)# ip address 10.1.1.2 255.255.255.252 R2(config-if)# ip ospf authentication R2(config-if)# ip ospf authentication-key cisco R2(config-if)# ip ospf 2 area 0 R2(config-if)#exi
Verify
R1#sh ip ospf interface GigabitEthernet0/0 is up, line protocol is up Internet Address 10.1.1.1/30, Area 0, Attached via Interface Enable Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Enabled by interface config, including secondary ip addresses Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 2.2.2.2, Interface address 10.1.1.2 Backup Designated router (ID) 1.1.1.1, Interface address 10.1.1.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:00 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 1 msec, maximum is 1 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2 (Designated Router) Suppress hello for 0 neighbor(s) Simple password authentication enabled
Method #3 : MD5 key
Router – R1
R1(config)# R1(config)#interface GigabitEthernet0/0 R1(config-if)# ip address 10.1.1.1 255.255.255.252 R1(config-if)# ip ospf 1 area 0 R1(config-if)# ip ospf authentication message-digest R1(config-if)# ip ospf message-digest-key 1 md5 letsconfig R1(config-if)#exit R1(config)#
Router – R2
R2(config)#interface GigabitEthernet0/0 R2(config-if)# ip address 10.1.1.2 255.255.255.252 R2(config-if)# ip ospf 2 area 0 R2(config-if)# ip ospf authentication message-digest R2(config-if)# ip ospf message-digest-key 1 md5 letsconfig R2(config-if)#exit R2(config)#
Here, “letsconfig” is the key for authentication. To verify, use “sh ip ospf interface” command.
Method #4 : OSPFv2 HMAC-SHA Cryptographic Authentication
Router – R1
First we need to configure Key chain.
R1(config)#key chain 1 R1(config-keychain)#key 1 R1(config-keychain-key)#key-string letsconfig R1(config-keychain-key)#cryptographic-algorithm hmac-sha-512 R1(config-keychain-key)#exit R1(config-keychain)#exit R1(config)#
Here i named key chain as 1. It’s locally significant. Meaning, other peer does not need to have same name. We just need to match the key-string, which is “letsconfig” in this example.
R1(config)#router ospf 1 R1(config-router)#router-id 1.1.1.1 R1(config-router)#exit R1(config)# R1(config)#int gig0/0 R1(config-if)#ip add 10.1.1.1 255.255.255.252 R1(config-if)#ip ospf authentication R1(config-if)#ip ospf authentication key-chain 1 R1(config-router)#exit R1(config)#
R2
Here is the key chain for R2.
R2(config)#key chain 1 R2(config-keychain)#key 1 R2(config-keychain-key)#key-string letsconfig R2(config-keychain-key)#cryptographic-algorithm hmac-sha-512 R2(config-keychain-key)#exit R2(config-keychain)#exit R2(config)#
R2(config)#router ospf 1 R2(config-router)#router-id 2.2.2.2 R2(config-router)#exit R2(config)# R2(config)#int gig0/0 R2(config-if)#ip add 10.1.1.2 255.255.255.252 R2(config-if)#ip ospf 1 area 0 R2(config-if)#ip ospf authentication R2(config-if)#ip ospf authentication key-chain 1
If we configure it correctly, within few moments we will see a similar message like below-
*Jul 31 19:17:56.466: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on GigabitEthernet0/0 from LOADING to FULL, Loadi ng Doned
Now, lets verify our HMAC-SHA cryptographic authentication.
R1# sh ip ospf interface
GigabitEthernet0/0 is up, line protocol is up
Internet Address 10.1.1.1/30, Area 0, Attached via Interface Enable
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 10.1.1.2
Backup Designated router (ID) 1.1.1.1, Interface address 10.1.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 1 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain 1
R1#
100%