The OSPF MD5 authentication technique is safer than plain text authentication. OSPF authentication methods are divided into four types: Null, plain text, MD5, and cryptographic. In the next paragraphs, I explain what is OSPF MD5 authentication, its benefits, how it does work, and how to configure and verify it.
Upon the completion of this tutorial, you will be able to answer the following questions:
- Does OSPF support authentication?
- What is authentication in OSPF?
- How do OSPF packets get authenticated?
- What is OSPF MD5 authentication?
- How does OSPF MD5 authentication work?
- What is the default authentication type in OSPF?
- What is the purpose of MD5 OSPF authentication?
- Which authentication methods and mechanisms are supported in OSPF?
- How to configure OSPF MD5 authentication on Cisco IOS?
- How to verify OSPF MD5 authentication on Cisco IOS?
What is OSPF MD5 Authentication?
RFC 2328 specifies one OSPFv2 cryptographic authentication method, which is the Message-Digest 5 (MD5) algorithm only.
OSPF MD5 authentication is a security technique that prohibits routing nodes on the network from processing OSPF packets sourced from unauthorized/malicious OSPF nodes in the current OSPF routing domain.
Why Use OSPF MD5 Authentication?
By default, OSPF uses null authentication. Therefore, you should configure an OSPF authentication method to protect OSPF nodes from building adjacencies with malicious users. But, not all the different authentication mechanisms supported by OSPF are secure.
For example, hackers can find out the simple password used in this plain text authentication easily. All they need is physical access to the network so they can use particular networking and spying tools to intercept OSPF packets.
In this way, they can form false neighbor relationships with legitimate routers and inject false routing data into the OSPF routing domain. Therefore, OSPF plain text authentication compared to the MD5 and HMAC-SHA cryptographic methods is the least secure method to authenticate OSPF packets. However, even though cryptographic authentication techniques offer a high level of security, they consume more CPU cycles than the clear text method.
How Does OSPF MD5 Authentication Works?
OSPF routers build adjacencies based on network parameters without caring about security. For example, an attacker or malicious user that has physical access to the network can form adjacencies with OSPF nodes, fake OSPF packets, and influence routing decisions on the current routing domain.
When you enable an OSPF password-based authentication, OSPF inserts the password in the routing packets. If plain text authentication is enabled, the password gets stored as it is configured, as shown in the next figure that is representing a Wireshark capture of an OSPF Hello packet.
However, if MD5 authentication is active, OSPF calculates a hash based on the configured key and password, and then starts inserting it into OSPF packets, as you can see in the next figure.
The MD5 authentication type uses the MD5 algorithm to calculate a hash value based on the content of the OSPF packet and a pre-configured key/password pair. The hash value is advertised in OSPF packets. When a router receives an OSPF packet, it accepts the packet if the hash value configured for the interface on which the OSPF packet was received is the same as the hash in that packet.
In the rest of this tutorial, I will be using the following network topology.
All routers are in area 0. Here are the configurations applied to the routers.
Router R1 | Router R2 | Router R3 | Router R4 |
How To Configure OSPF MD5 Authentication on Cisco IOS?
Cisco IOS supports OSPF MD5 authentication. You can configure it on a per-area or per-interface basis. Besides, the authentication key and password can be set only on a per-interface basis. This way you have the flexibility to set up different key and password pairs to protect OSPF packets sent between neighbors.
To configure OSPF MD5 authentication per area on Cisco IOS, follow these steps:
- Step 1. Select an OSPF process using the router ospf command.
- Step 2. Issue the area area-id authentication message-digest command, where area-id is the ID of the area on which you want to enable MD5 authentication.
- Step 3. Under each interface in the area, issue the ip ospf message-digest-key key md5 pwd command, where key is an integer between 1 and 255, pwd is the string that should not exceed 16 characters.
In these examples, we enable MD5 authentication on area 0 using 20 and CISCO as the key and password.
Router R1
R1(config)# router ospf 1 R1(config-router)# area 0 authentication message-digest R1(config-router)# R1(config-router)# interface gigabitethernet 0/2 R1(config-if)# ip ospf message-digest-key 20 md5 CISCO R1(config-if)# R1(config-if)# interface gigabitethernet 0/4 R1(config-if)# ip ospf message-digest-key 20 md5 CISCO
Router R2
R2(config)# router ospf 1 R2(config-router)# area 0 authentication message-digest R2(config-router)# R2(config-router)# interface gigabitethernet 0/1 R2(config-if)# ip ospf message-digest-key 20 md5 CISCO R2(config-if)# R2(config-if)# interface gigabitethernet 0/3 R2(config-if)# ip ospf message-digest-key 20 md5 CISCO
Router R3
R3(config)# router ospf 1 R3(config-router)# area 0 authentication message-digest R3(config-router)# R3(config-router)# interface gigabitethernet 0/2 R3(config-if)# ip ospf message-digest-key 20 md5 CISCO R3(config-if)# R3(config-if)# interface gigabitethernet 0/4 R3(config-if)# ip ospf message-digest-key 20 md5 CISCO
Router R4
R4(config)# router ospf 1 R4(config-router)# area 0 authentication message-digest R4(config-router)# R4(config-router)# interface gigabitethernet 0/1 R4(config-if)# ip ospf message-digest-key 20 md5 CISCO R4(config-if)# R4(config-if)# interface gigabitethernet 0/3 R4(config-if)# ip ospf message-digest-key 20 md5 CISCO
Moreover, here are the steps to configure the same authentication type on a particular interface:
- Step 1. Issue the ip ospf authentication message-digest command in interface configuration mode to tell OSPF to protect OSPF packets using the MD5 authentication type.
- Step 2. In the same configuration mode, issue the ip ospf message-digest-key key md5 pwd command, where key is an integer between 1 and 255, pwd is the string that should not exceed 16 characters.
The ip ospf message-digest-key command accepts spaces but omits those at the start of the password. The password should not exceed 16 characters and can include any ASCII symbol, including the question mark “?”.
If you enter more than 16 characters, Cisco IOS considers the first sixteen characters and dismisses the remaining ones. For example, if we set up MD5 authentication in subnet 10.0.12.0/24 using 20 as the key and these two different passwords: CISCO1234567890@ and CISCO1234567890@#$%, routers R1 and R2 can still form an adjacency because they use the same key and the first sixteen characters in the passwords are the same.
In these examples, we configure OSPF MD5 authentication in subnet 10.0.23.0/24 using 12 and CISCO as the key and password.
Router R1
R1(config)# interface GigabitEthernet0/2 R1(config-if)# ip ospf authentication message-digest R1(config-if)# ip ospf message-digest-key 12 md5 CISCO
Router R2
R2(config)# interface GigabitEthernet0/1 R2(config-if)# ip ospf authentication message-digest R2(config-if)# ip ospf message-digest-key 12 md5 CISCO
How To Configure OSPF MD5 Authentication on Cisco IOS Using Key Chain Objects?
You can configure OSPF MD5 authentication on an interface using the ip ospf authentication-key kc command in interface configuration mode, where kc is a key chain object. This method allows you to use two keys at the same time. For example, you may want to use key 1 and password CISCO to generate OSPF packets, while you use key 2 and password CISCO2 to authenticate received OSPF packets.
In the next OSPF configurations, we enable OSPF MD5 authentication in subnet 10.0.34.0/24 according to the following requirements:
Router | Key | Role | |
Key ID | Password | ||
R3 | 1 | CISCO1 | Authenticate R4’s OSPF packets |
2 | CISCO2 | Generate OSPF packets sent to R4 | |
R4 | 1 | CISCO1 | Generate OSPF packets sent to R3 |
2 | CISCO2 | Authenticate R3’s OSPF packets |
Router R3
R3(config)# key chain R3R4 R3(config-keychain)# key 1 R3(config-keychain-key)# key-string CISCO1 R3(config-keychain-key)# cryptographic-algorithm md5 R3(config-keychain-key)# send-lifetime 00:00:00 1 jan 2000 duration 1 R3(config-keychain-key)# R3(config-keychain-key)# key 2 R3(config-keychain-key)# key-string CISCO2 R3(config-keychain-key)# cryptographic-algorithm md5 R3(config-keychain-key)# accept-lifetime 00:00:00 1 jan 2000 duration 1 R3(config-keychain-key)# R3(config-keychain-key)# interface GigabitEthernet 0/4 R3(config-if)# ip ospf authentication key-chain R3R4
Router R4
R4(config)# key chain R4R3 R4(config-keychain)# key 1 R4(config-keychain-key)# key-string CISCO1 R4(config-keychain-key)# cryptographic-algorithm md5 R4(config-keychain-key)# accept-lifetime 00:00:00 1 jan 2000 duration 1 R4(config-keychain-key)# R4(config-keychain-key)# key 2 R4(config-keychain-key)# key-string CISCO2 R4(config-keychain-key)# cryptographic-algorithm md5 R4(config-keychain-key)# send-lifetime 00:00:00 1 jan 2000 duration 1 R4(config-keychain-key)# R4(config-keychain-key)# interface GigabitEthernet 0/3 R4(config-if)# ip ospf authentication key-chain R4R3
By default, when you do not specify the accept-lifetime command, the key gets used to authenticate OSPF packets indefinitely. Likewise, when you do not issue the send-lifetime command, the key gets used to authenticate OSPF packets continuously.
Since router R3 should use key 1 only to authenticate R4’s OSPF packets, we configure the router to not use the key when sending OSPF packets to R4 by configuring key 1’s sending stop time and date to 1st Jan 1970 – 00:00:00 + 1 second. This way key 1 is expired and won’t be used for generating OSPF packets on R3. However, key 1 is used for authenticating R4’s OSPF packets because the end of key 1’s accept lifetime is set to infinity, which is the default value.
Similarly, we set the accept lifetime’s end of key 2 on R3 to a value that is less than the current time and date. Therefore, R3 uses key 2 to only generate OSPF packets sent to R4.
Finally, we configure router R4 using the same logic as for router R3.
How To Verify OSPF MD5 Authentication on Cisco IOS?
On Cisco IOS, you can use the show ip ospf and show ip ospf interface commands to troubleshoot and verify OSPF MD5 authentication. The show ip ospf command indicates what type of authentication is applied to each area.
R1# show ip ospf Routing Process "ospf 1" with ID 1.1.1.1 Start time: 00:00:41.833, Time elapsed: 02:25:01.316 Supports only single TOS(TOS0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transit capability Supports NSSA (compatible with RFC 3101) Supports Database Exchange Summary List Optimization (RFC 5243) Event-log enabled, Maximum number of events: 1000, Mode: cyclic Router is not originating router-LSAs with maximum metric Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Incremental-SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs EXCHANGE/LOADING adjacency limit: initial 300, process maximum 300 Number of external LSA 0. Checksum Sum 0x000000 Number of opaque AS LSA 0. Checksum Sum 0x000000 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Number of areas transit capable is 0 External flood list length 0 IETF NSF helper support enabled Cisco NSF helper support enabled Reference bandwidth unit is 100 mbps Area BACKBONE(0) Number of interfaces in this area is 2 Area has message digest authentication omitted output
The show ip ospf interface indicates the authentication method attached to each interface.
R1# show ip ospf interface gigabitEthernet 0/1
%OSPF: OSPF not enabled on GigabitEthernet0/1
R1#show ip ospf interface gigabitEthernet 0/2
GigabitEthernet0/2 is up, line protocol is up
Internet Address 10.0.12.1/24, Area 0, Attached via Network Statement
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 10.0.12.2
Backup Designated router (ID) 1.1.1.1, Interface address 10.0.12.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Youngest key id is 12
Related Lessons to OSPF MD5 Authentication
- OSPF
- OSPF Router ID
- OSPF Null Authentication
- OSPF Plain Text Authentication
- OSPF Default Route
- Basic OSPF Configuration Lab for CCNA
- OSPF Configuration
- OSPF Passive Interface
- OSPF Virtual Link
- OSPF Stub Area
- OSPF LSA Types
- OSPF Graceful Restart
- OSPF Totally Stubby Area
- OSPF Reference Bandwidth
- OSPF Cost
- OSPF DR/BDR Election
- OSPF Hello and Dead Interval
- OSPF Metric
- OSPF MD5 Authentication
- OSPF HMAC-SHA Cryptographic Authentication
- OSPF Multi-Area
- OSPF TTL Security Check
- OSPF Graceful Shutdown
- Route Redistribution between OSPF and RIP
- OSPF Network Types
- OSPF Totally NSSA Area
- OSPF NSSA Area
- OSPF Summarization
- OSPF Route Filtering
- OSPF Type 5 LSA Filtering
- OSPF ABR Type 3 LSA Filtering
- OSPF Prefix Suppression
- OSPF Path Selection
- OSPF LSA Throttling
- OSPF SPF Throttling
- OSPF Incremental SPF
- OSPF Non-Broadcast Network Type
- OSPF Point-to-Point Network Type
- OSPF Broadcast Network Type
- OSPF Point-to-Multipoint Network Type
- OSPF vs RIP
- OSPF LSA Group Pacing
- OSPF LSA Flood Pacing
- OSPF LSA Retransmission Pacing
- Troubleshooting OSPF Neighbor Adjacency
- Troubleshooting OSPF Route Installation
- Troubleshooting OSPF Route Advertisement
- OSPF Stub Router
Conclusion
I hope this blog post helps you learn something.
Now I’d like to turn it over to you:
What did you like about this tutorial?
Or maybe you have an excellent idea that you think I need to add.
Either way, let me know by leaving a comment below right now.