Home Network Layer OSPF Version 2 OSPF MD5 Authentication Explained + Configuration on Cisco IOS

OSPF MD5 Authentication Explained + Configuration on Cisco IOS

The OSPF MD5 authentication technique is safer than plain text authentication. OSPF authentication methods are divided into four types: Null, plain text, MD5, and cryptographic. In the next paragraphs, I explain what is OSPF MD5 authentication, its benefits, how it does work, and how to configure and verify it.

Upon the completion of this tutorial, you will be able to answer the following questions:

  • Does OSPF support authentication?
  • What is authentication in OSPF?
  • How do OSPF packets get authenticated?
  • What is OSPF MD5 authentication?
  • How does OSPF MD5 authentication work?
  • What is the default authentication type in OSPF?
  • What is the purpose of MD5 OSPF authentication?
  • Which authentication methods and mechanisms are supported in OSPF?
  • How to configure OSPF MD5 authentication on Cisco IOS?
  • How to verify OSPF MD5 authentication on Cisco IOS?

What is OSPF MD5 Authentication?

RFC 2328 specifies one OSPFv2 cryptographic authentication method, which is the Message-Digest 5 (MD5) algorithm only.

OSPF MD5 authentication is a security technique that prohibits routing nodes on the network from processing OSPF packets sourced from unauthorized/malicious OSPF nodes in the current OSPF routing domain.

Why Use OSPF MD5 Authentication?

By default, OSPF uses null authentication. Therefore, you should configure an OSPF authentication method to protect OSPF nodes from building adjacencies with malicious users. But, not all the different authentication mechanisms supported by OSPF are secure.

For example, hackers can find out the simple password used in this plain text authentication easily. All they need is physical access to the network so they can use particular networking and spying tools to intercept OSPF packets.

In this way, they can form false neighbor relationships with legitimate routers and inject false routing data into the OSPF routing domain. Therefore, OSPF plain text authentication compared to the MD5 and HMAC-SHA cryptographic methods is the least secure method to authenticate OSPF packets. However, even though cryptographic authentication techniques offer a high level of security, they consume more CPU cycles than the clear text method.

How Does OSPF MD5 Authentication Works?

OSPF routers build adjacencies based on network parameters without caring about security. For example, an attacker or malicious user that has physical access to the network can form adjacencies with OSPF nodes, fake OSPF packets, and influence routing decisions on the current routing domain.

When you enable an OSPF password-based authentication, OSPF inserts the password in the routing packets. If plain text authentication is enabled, the password gets stored as it is configured, as shown in the next figure that is representing a Wireshark capture of an OSPF Hello packet.

However, if MD5 authentication is active, OSPF calculates a hash based on the configured key and password, and then starts inserting it into OSPF packets, as you can see in the next figure.

The MD5 authentication type uses the MD5 algorithm to calculate a hash value based on the content of the OSPF packet and a pre-configured key/password pair. The hash value is advertised in OSPF packets. When a router receives an OSPF packet, it accepts the packet if the hash value configured for the interface on which the OSPF packet was received is the same as the hash in that packet.

In the rest of this tutorial, I will be using the following network topology.

All routers are in area 0. Here are the configurations applied to the routers.

Router R1 Router R2 Router R3 Router R4

How To Configure OSPF MD5 Authentication on Cisco IOS?

Cisco IOS supports OSPF MD5 authentication. You can configure it on a per-area or per-interface basis. Besides, the authentication key and password can be set only on a per-interface basis. This way you have the flexibility to set up different key and password pairs to protect OSPF packets sent between neighbors.

To configure OSPF MD5 authentication per area on Cisco IOS, follow these steps:

  • Step 1. Select an OSPF process using the router ospf command.
  • Step 2. Issue the area area-id authentication message-digest command, where area-id is the ID of the area on which you want to enable MD5 authentication.
  • Step 3. Under each interface in the area, issue the ip ospf message-digest-key key md5 pwd command, where key is an integer between 1 and 255, pwd is the string that should not exceed 16 characters.

In these examples, we enable MD5 authentication on area 0 using 20 and CISCO as the key and password.

Router R1

R1(config)# router ospf 1
R1(config-router)# area 0 authentication message-digest
R1(config-router)# 
R1(config-router)# interface gigabitethernet 0/2
R1(config-if)# ip ospf message-digest-key 20 md5 CISCO
R1(config-if)# 
R1(config-if)# interface gigabitethernet 0/4
R1(config-if)# ip ospf message-digest-key 20 md5 CISCO

Router R2

R2(config)# router ospf 1
R2(config-router)# area 0 authentication message-digest
R2(config-router)# 
R2(config-router)# interface gigabitethernet 0/1
R2(config-if)# ip ospf message-digest-key 20 md5 CISCO
R2(config-if)# 
R2(config-if)# interface gigabitethernet 0/3
R2(config-if)# ip ospf message-digest-key 20 md5 CISCO

Router R3

R3(config)# router ospf 1
R3(config-router)# area 0 authentication message-digest
R3(config-router)# 
R3(config-router)# interface gigabitethernet 0/2
R3(config-if)# ip ospf message-digest-key 20 md5 CISCO
R3(config-if)# 
R3(config-if)# interface gigabitethernet 0/4
R3(config-if)# ip ospf message-digest-key 20 md5 CISCO

Router R4

R4(config)# router ospf 1
R4(config-router)# area 0 authentication message-digest
R4(config-router)# 
R4(config-router)# interface gigabitethernet 0/1
R4(config-if)# ip ospf message-digest-key 20 md5 CISCO
R4(config-if)# 
R4(config-if)# interface gigabitethernet 0/3
R4(config-if)# ip ospf message-digest-key 20 md5 CISCO

Moreover, here are the steps to configure the same authentication type on a particular interface:

  • Step 1. Issue the ip ospf authentication message-digest command in interface configuration mode to tell OSPF to protect OSPF packets using the MD5 authentication type.
  • Step 2. In the same configuration mode, issue the ip ospf message-digest-key key md5 pwd command, where key is an integer between 1 and 255, pwd is the string that should not exceed 16 characters.

The ip ospf message-digest-key command accepts spaces but omits those at the start of the password. The password should not exceed 16 characters and can include any ASCII symbol, including the question mark “?”.

If you enter more than 16 characters, Cisco IOS considers the first sixteen characters and dismisses the remaining ones. For example, if we set up MD5 authentication in subnet 10.0.12.0/24 using 20 as the key and these two different passwords: CISCO1234567890@  and CISCO1234567890@#$%, routers R1 and R2 can still form an adjacency because they use the same key and the first sixteen characters in the passwords are the same.

In these examples, we configure OSPF MD5 authentication in subnet 10.0.23.0/24 using 12 and CISCO as the key and password.

Router R1

R1(config)# interface GigabitEthernet0/2
R1(config-if)# ip ospf authentication message-digest
R1(config-if)# ip ospf message-digest-key 12 md5 CISCO

Router R2

R2(config)# interface GigabitEthernet0/1
R2(config-if)# ip ospf authentication message-digest
R2(config-if)# ip ospf message-digest-key 12 md5 CISCO

How To Configure OSPF MD5 Authentication on Cisco IOS Using Key Chain Objects?

You can configure OSPF MD5 authentication on an interface using the ip ospf authentication-key kc command in interface configuration mode, where kc is a key chain object. This method allows you to use two keys at the same time. For example, you may want to use key 1 and password CISCO to generate OSPF packets, while you use key 2 and password CISCO2 to authenticate received OSPF packets.

In the next OSPF configurations, we enable OSPF MD5 authentication in subnet 10.0.34.0/24 according to the following requirements:

Router Key Role
Key ID Password
R3 1 CISCO1 Authenticate R4’s OSPF packets
2 CISCO2 Generate OSPF packets sent to R4
R4 1 CISCO1 Generate OSPF packets sent to R3
2 CISCO2 Authenticate R3’s OSPF packets

Router R3

R3(config)# key chain R3R4
R3(config-keychain)# key 1
R3(config-keychain-key)# key-string CISCO1
R3(config-keychain-key)# cryptographic-algorithm md5
R3(config-keychain-key)# send-lifetime 00:00:00 1 jan 2000 duration 1
R3(config-keychain-key)# 
R3(config-keychain-key)# key 2
R3(config-keychain-key)# key-string CISCO2
R3(config-keychain-key)# cryptographic-algorithm md5
R3(config-keychain-key)# accept-lifetime 00:00:00 1 jan 2000 duration 1
R3(config-keychain-key)# 
R3(config-keychain-key)# interface GigabitEthernet 0/4
R3(config-if)# ip ospf authentication key-chain R3R4

Router R4

R4(config)# key chain R4R3
R4(config-keychain)# key 1
R4(config-keychain-key)# key-string CISCO1
R4(config-keychain-key)# cryptographic-algorithm md5
R4(config-keychain-key)# accept-lifetime 00:00:00 1 jan 2000 duration 1
R4(config-keychain-key)# 
R4(config-keychain-key)# key 2
R4(config-keychain-key)# key-string CISCO2
R4(config-keychain-key)# cryptographic-algorithm md5
R4(config-keychain-key)# send-lifetime 00:00:00 1 jan 2000 duration 1
R4(config-keychain-key)# 
R4(config-keychain-key)# interface GigabitEthernet 0/3
R4(config-if)# ip ospf authentication key-chain R4R3

By default, when you do not specify the accept-lifetime command, the key gets used to authenticate OSPF packets indefinitely. Likewise, when you do not issue the send-lifetime command, the key gets used to authenticate OSPF packets continuously.

Since router R3 should use key 1 only to authenticate R4’s OSPF packets, we configure the router to not use the key when sending OSPF packets to R4 by configuring key 1’s sending stop time and date to 1st Jan 1970 – 00:00:00 + 1 second. This way key 1 is expired and won’t be used for generating OSPF packets on R3. However, key 1 is used for authenticating R4’s OSPF packets because the end of key 1’s accept lifetime is set to infinity, which is the default value.

Similarly, we set the accept lifetime’s end of key 2 on R3 to a value that is less than the current time and date. Therefore, R3 uses key 2 to only generate OSPF packets sent to R4.

Finally, we configure router R4 using the same logic as for router R3.

How To Verify OSPF MD5 Authentication on Cisco IOS?

On Cisco IOS, you can use the show ip ospf and show ip ospf interface commands to troubleshoot and verify OSPF MD5 authentication. The show ip ospf command indicates what type of authentication is applied to each area.

R1# show ip ospf
 Routing Process "ospf 1" with ID 1.1.1.1
 Start time: 00:00:41.833, Time elapsed: 02:25:01.316
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 Supports NSSA (compatible with RFC 3101)
 Supports Database Exchange Summary List Optimization (RFC 5243)
 Event-log enabled, Maximum number of events: 1000, Mode: cyclic
 Router is not originating router-LSAs with maximum metric
 Initial SPF schedule delay 5000 msecs
 Minimum hold time between two consecutive SPFs 10000 msecs
 Maximum wait time between two consecutive SPFs 10000 msecs
 Incremental-SPF disabled
 Minimum LSA interval 5 secs
 Minimum LSA arrival 1000 msecs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 EXCHANGE/LOADING adjacency limit: initial 300, process maximum 300
 Number of external LSA 0. Checksum Sum 0x000000
 Number of opaque AS LSA 0. Checksum Sum 0x000000
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 0
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
 Number of areas transit capable is 0
 External flood list length 0
 IETF NSF helper support enabled
 Cisco NSF helper support enabled
 Reference bandwidth unit is 100 mbps
    Area BACKBONE(0)
        Number of interfaces in this area is 2
        Area has message digest authentication




omitted output

The show ip ospf interface indicates the authentication method attached to each interface.

R1# show ip ospf interface gigabitEthernet 0/1
%OSPF: OSPF not enabled on GigabitEthernet0/1
R1#show ip ospf interface gigabitEthernet 0/2
GigabitEthernet0/2 is up, line protocol is up 
  Internet Address 10.0.12.1/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State BDR, Priority 1
  Designated Router (ID) 2.2.2.2, Interface address 10.0.12.2
  Backup Designated router (ID) 1.1.1.1, Interface address 10.0.12.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 2
  Last flood scan time is 0 msec, maximum is 1 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 2.2.2.2  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Cryptographic authentication enabled
    Youngest key id is 12

Related Lessons to OSPF MD5 Authentication

Conclusion

I hope this blog post helps you learn something.
Now I’d like to turn it over to you:
What did you like about this tutorial?
Or maybe you have an excellent idea that you think I need to add.
Either way, let me know by leaving a comment below right now.

Mohamed Ouamer is a computer science teacher and a self-published author. He taught networking technologies and programming for more than fifteen years. While he loves to share knowledge and write, Mohamed's best passions include spending time with his family, visiting his parents, and learning new things.

Exit mobile version