OSPF supports three types of password-based authentication, including OSPF plain text authentication, also called clear text, and simple password authentication. You can use it on a large number of Cisco products such as routers, switches, and Cisco ASA. OSPF authentication is not included in the CCNA syllabus, but it is a subject of the CCNP ENCOR exam. In this post, you will learn how OSPF clear text authentication works, and how to configure and verify it on Cisco IOS devices.
- What is OSPF Plain Text Authentication?
- Why Use OSPF Clear Text Authentication?
- How Does OSPF Plain Text Authentication work?
- OSPF Plain Text Authentication Vs OSPF MD5 and HMAC-SHA Cryptographic Authentication Methods
- How to configure OSPF Plain Text Authentication on Cisco IOS
- How to verify OSPF Plain Text Authentication on Cisco IOS?
- OSPF Simple Password Authentication Alternatives
- Related Lessons to OSPF Plain Text Authentication,OSPF Clear Text Authentication
What is OSPF Plain Text Authentication?
OSPF plain text authentication is a security method that protects routing nodes on the network from accepting OSPF updates generated by unauthorized/malicious devices in the current OSPF routing domain; in this way, illegitimate routers cannot join and influence routing decisions within the autonomous system because they should prove identity via supplying a shared password to the neighbor nodes.
Simple password authentication allows configuring the 64-bit authentication key field on a per-network basis only. You cannot set the plain text password per area, which make configuration tedious when you have lots of interfaces and routers in your OSPF autonomous system. Routers on the same data link should use the same authentication type and password over that link; otherwise, they cannot form neighbor relationships.
Why Use OSPF Clear Text Authentication?
Hackers can find out the simple password used in this type of authentication easily. All they need is physical access to the network so they can use particular networking and spying tools to intercept OSPF packets. In this way, they can form false neighbor relationships with legitimate routers and inject false routing data into the OSPF routing domain. Therefore, OSPF plain text authentication compared to the MD5 and HMAC-SHA cryptographic methods is the least secure method to authenticate OSPF packets. However, even though it offers less security, it is still better than nothing and it consumes fewer CPU cycles than the cryptographic methods.
How Does OSPF Plain Text Authentication work?
When OSPF clear-text authentication is active on a particular interface, the authentication type (Autype) field, in the header of OSPF packets sent over that interface, gets assigned 1 (see exhibits 1 and 2). In addition, the router assigns the simple password applied to the interface to the 64-bit authentication key field. Finally, OSPF calculates the checksum field using the entire content of the OSPF packet without taking into account the authentication key field.
Open Shortest Path First OSPF Header Version: 2 Message Type: Hello Packet (1) Packet Length: 44 Source OSPF Router: 10.0.12.2 Area ID: 0.0.0.0 (Backbone) Checksum: 0xd69b [correct] Auth Type: Simple password (1) Auth Data (Simple): cisco omitted output
Exhibit 1 – OSPF header captured with Wireshark and illustrating OSPF simple password authentication
R2# debug ip ospf packet OSPF packet debugging is on R2# R2# *Jun 7 16:30:34.365: OSPF-1 PAK : Gi0/1: OUT: 10.0.12.2->220.127.116.11: ver:2 type:1 len:44 rid:10.0.12.2 area:0.0.0.0 chksum:C099 auth:1 *Jun 7 16:30:43.618: OSPF-1 PAK : Gi0/1: OUT: 10.0.12.2->18.104.22.168: ver:2 type:1 len:44 rid:10.0.12.2 area:0.0.0.0 chksum:C099 auth:1 omitted output
Exhibit 2 – Debug ip ospf packet command output
OSPF Plain Text Authentication Vs OSPF MD5 and HMAC-SHA Cryptographic Authentication Methods
When you activate OSPFv2 plain text authentication on a data link, routers insert the shared password into the OSPF header of the packets sent over the link. In addition, when a router receives an OSPF packet, it reads the authentication data field and checks it matches the shared password. If there is no match, the packet gets discarded.
Cryptographic authentication methods based on MD5 or HMAC-SHA algorithms set the authentication data field to a hash string calculated from a shared password. In this way, the password is kept secret between neighbors on the same data link and does not get included in OSPF packets. Therefore, hackers (malicious users) have no way to uncover the authentication key, which improves the security of OSPF traffic between neighbor routers.
How to configure OSPF Plain Text Authentication on Cisco IOS
Configuring OSPF Clear Text Authentication
Cisco IOS allows network engineers to enable OSPF plain text authentication both on a per-area and per-interface basis. However, the authentication password can be configured only on a per-interface basis. This gives you the flexibility to use more than one clear-text password to secure OSPF packets as they get exchanged between neighbors.
To set up OSPF plain text authentication per area on Cisco IOS, follow these steps:
- Step 1. Select an OSPF process using the router ospf command.
- Step 2. Issue the area area-id authentication command, where area-id is the ID of the area on which you want to secure OSPF packets.
- Step 3. Under each interface in the area, issue the ip ospf authentication-key pwd command, where pwd is the string the router should include in each OSPF packet sent over the interface, and the key used to authenticate OSPF packet received on that interface.
Moreover, here are the steps to configure the same authentication type on a particular interface:
- Step 1. Issue the ip ospf authentication command in interface configuration mode to instruct the router to secure OSPF traffic over the interface using the simple password authentication method.
- Step 2. In the same configuration mode, issue the ip ospf authentication-key pwd command, where pwd is the clear text password that is to be inserted in the header of each OSPF packet sent over the interface and used to authenticate OSPF traffic received on the same interface.
The ip ospf authentication-key command accepts spaces but ignores those at the beginning of the password. The authentication key should not exceed 8 characters and can include any ASCII symbol, including the question mark “?”. If you enter more than 8 characters, Cisco IOS considers the first eight characters as the password and ignores the remaining ones (Exhibits 3 and 4).
R2(config)# interface gigabitEthernet 0/1 R2(config-if)# ip ospf authentication-key cisco123456789 % OSPF: Warning: The password/key will be truncated to 8 characters
Exhibit 3 – Setting a clear-text password with more than eight characters on Cisco IOS
OSPF Header Version: 2 Message Type: Hello Packet (1) Packet Length: 44 Source OSPF Router: 10.0.12.2 Area ID: 0.0.0.0 (Backbone) Checksum: 0xd69b [correct] Auth Type: Simple password (1) Auth Data (Simple): cisco123
Exhibit 4 – OSPF header including password cisco123 instead of cisco123456789
As a side note, configuring OSPF MD5 authentication on Cisco IOS is similar to setting up the clear text one; you only need to replace the area authentication, ip ospf authentication, and ip ospf authentication-key commands by area authentication message-digest, ip ospf authentication message-digest, and ip ospf message-digest-key md5, respectively.
At this point, let’s configure OSPF on the network in Figure 1, and enable clear text authentication in area 0 using password cisco.
Figure 1 – Network diagram of the OSPF autonomous system used in this tutorial
Router(config)# hostname R1 R1(config)# interface gigabitEthernet 0/2 R1(config-if)# ip address 10.0.12.1 255.255.255.0 R1(config-if)# ip ospf network point-to-point R1(config-if)# no shutdown R1(config-if)# interface gigabitEthernet 0/3 R1(config-if)# ip address 10.0.13.1 255.255.255.0 R1(config-if)# ip ospf network point-to-point R1(config-if)# no shutdown R1(config-if)# exit R1(config)# router ospf 1 R1(config-router)# network 0.0.0.0 255.255.255.255 area 0 R1(config-router)# area 0 authentication R1(config-router)# exit R1(config)# interface gigabitEthernet 0/2 R1(config-if)# ip ospf authentication-key cisco R1(config-if)# interface gigabitEthernet 0/3 R1(config-if)# ip ospf authentication-key cisco
Router(config)# hostname R2 R2(config)# interface gigabitEthernet 0/1 R2(config-if)# ip address 10.0.12.2 255.255.255.0 R2(config-if)# ip ospf network point-to-point R2(config-if)# ip ospf authentication R2(config-if)# ip ospf authentication-key cisco R2(config-if)# no shutdown R2(config-if)# exit R2(config)# router ospf 1 R2(config-router)# network 10.0.12.2 0.0.0.0 area 0
Router(config)# hostname R3 R3(config)# interface gigabitEthernet 0/1 R3(config-if)# ip address 10.0.13.3 255.255.255.0 R3(config-if)# ip ospf network point-to-point R3(config-if)# ip ospf authentication R3(config-if)# ip ospf authentication-key cisco R3(config-if)# no shutdown R3(config-if)# exit R3(config)# router ospf 1 R3(config-router)# network 10.0.13.3 0.0.0.0 area 0
We used two different approaches to implement OSPF clear text authentication on the network. On routers R2 and R3, we enabled the authentication method on the interface level only, while we activate it globally in area 0 on router R1.
OSPF Area Authentication vs Interface Authentication
OSPF area and interface authentications are simple to configure. However, when you have lots of interfaces to enable OSPF authentication on, enabling authentication of each of them becomes a tedious task. Instead, you will need to activate OSPF authentication per area. Conversely, when you have a few links to enable plain text authentication on them, OSPF area authentication becomes a bad idea, and you would configure authentication on each interface since following the other approach leads to using OSPF Null authentication on a larger number of interfaces.
Encrypting OSPF Clear Text Passwords
By default, Cisco IOS does not encrypt passwords when it stores them in RAM (Exhibit 5), and thus, anyone with physical access to the router or looking at the running-configuration file’s content can easily know OSPF authentication keys configured on the router.
R1# show running-config interface gigabitEthernet 0/2 Building configuration... Current configuration : 190 bytes ! interface GigabitEthernet0/2 ip address 10.0.12.1 255.255.255.0 ip ospf authentication-key cisco ip ospf network point-to-point shutdown duplex auto speed auto media-type rj45 end
Exhibit 5 – OSPF simple password stored as clear text in RAM
To circumvent this issue, you can issue the service password-encryption command in global configuration mode, as shown below. OSPF will still insert the authentication key as clear text in the OSPF header. In fact, the service password-encryption command does not affect how OSPF operates, it just encrypts all clear text passwords stored in the running-configuration file.
R1(config)# service password-encryption
Now, the OSPF authentication password is saved as encrypted text in RAM (Exhibit 6).
R1# show running-config interface gigabitEthernet 0/2 Building configuration... Current configuration : 199 bytes ! interface GigabitEthernet0/2 ip address 10.0.12.1 255.255.255.0 ip ospf authentication-key 7 1511021F0725 ip ospf network point-to-point shutdown duplex auto speed auto media-type rj45 end
Exhibit 6 – OSPF simple password stored as encrypted text in RAM
How to verify OSPF Plain Text Authentication on Cisco IOS?
On Cisco IOS, you can use the show ip ospf and show ip ospf interface commands to troubleshoot and verify OSPF authentication whether it is plain text, MD5, or HMAC-SHA-based. The show ip ospf command tells what type of authentication is applied to each area, while the show ip ospf interface indicates the authentication method attached to each interface.
R1# show ip ospf Routing Process "ospf 1" with ID 10.0.13.1 Start time: 00:15:44.050, Time elapsed: 00:25:02.151 Supports only single TOS(TOS0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transit capability Supports NSSA (compatible with RFC 3101) Supports Database Exchange Summary List Optimization (RFC 5243) Event-log enabled, Maximum number of events: 1000, Mode: cyclic Router is not originating router-LSAs with maximum metric Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Incremental-SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs EXCHANGE/LOADING adjacency limit: initial 300, process maximum 300 Number of external LSA 0. Checksum Sum 0x000000 Number of opaque AS LSA 0. Checksum Sum 0x000000 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Number of areas transit capable is 0 External flood list length 0 IETF NSF helper support enabled Cisco NSF helper support enabled Reference bandwidth unit is 100 mbps Area BACKBONE(0) Number of interfaces in this area is 2 Area has simple password authentication SPF algorithm last executed 00:07:16.692 ago SPF algorithm executed 2 times Area ranges are Number of LSA 3. Checksum Sum 0x015D35 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0
Exhibit 7 – OSPF plain text authentication applied to area 0
R1# show ip ospf interface gigabitEthernet 0/2 GigabitEthernet0/2 is up, line protocol is up Internet Address 10.0.12.1/24, Area 0, Attached via Network Statement Process ID 1, Router ID 10.0.13.1, Network Type POINT_TO_POINT, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Transmit Delay is 1 sec, State POINT_TO_POINT Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:01 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.0.12.2 Suppress hello for 0 neighbor(s) Simple password authentication enabled
Exhibit 8 – OSPF clear text authentication applied to interface GigabitEthernet 0/2
OSPF Simple Password Authentication Alternatives
OSPF plain text authentication is not the more secure way to detect unauthorized OSPF traffic. In fact, you can either use MD5 or HMAC-SHA authentication methods, which protect OSPF packets from being corrupted. OSPF MD5 and HMAC-SHA are easy to configure and they do not consume a high volume of CPU cycles.
Related Lessons to OSPF Plain Text Authentication,OSPF Clear Text Authentication
- OSPF Router ID
- OSPF Null Authentication
- OSPF Plain Text Authentication
- OSPF Default Route
- Basic OSPF Configuration Lab for CCNA
- OSPF Configuration
- OSPF Passive Interface
- OSPF Virtual Link
- OSPF Stub Area
- OSPF LSA Types
- OSPF Totally Stubby Area
- OSPF Reference Bandwidth
- OSPF Cost
- OSPF DR/BDR Election
- OSPF Hello and Dead Interval
- OSPF Metric
- OSPF MD5 Authentication
- OSPF HMAC-SHA Cryptographic Authentication
- OSPF Multi-Area
- OSPF TTL Security Check
- OSPF Graceful Shutdown
- Route Redistribution between OSPF and RIP
- OSPF Network Types
- OSPF Totally NSSA Area
- OSPF NSSA Area
- OSPF Summarization
- OSPF Route Filtering
- OSPF Type 5 LSA Filtering
- OSPF ABR Type 3 LSA Filtering
- OSPF Prefix Suppression
- OSPF Path Selection
- OSPF LSA Throttling
- OSPF SPF Throttling
- OSPF Incremental SPF
- OSPF Non-Broadcast Network Type
- OSPF Point-to-Point Network Type
- OSPF Broadcast Network Type
- OSPF Point-to-Multipoint Network Type
- OSPF vs RIP
- OSPF LSA Group Pacing
- OSPF LSA Flood Pacing
- OSPF LSA Retransmission Pacing