OSPF supports three types of password-based authentication, including OSPF plain text authentication, also called clear text, and simple password authentication. You can use it on a large number of Cisco products such as routers, switches, and Cisco ASA. OSPF authentication is not included in the CCNA syllabus, but it is a subject of the CCNP ENCOR exam. In this post, you will learn how OSPF clear text authentication works, and how to configure and verify it on Cisco IOS devices.

What is OSPF Plain Text Authentication?

OSPF plain text authentication is a security method that protects routing nodes on the network from accepting OSPF updates generated by unauthorized/malicious devices in the current OSPF routing domain; in this way, illegitimate routers cannot join and influence routing decisions within the autonomous system because they should prove identity via supplying a shared password to the neighbor nodes.

Simple password authentication allows configuring the 64-bit authentication key field on a per-network basis only. You cannot set the plain text password per area, which make configuration tedious when you have lots of interfaces and routers in your OSPF autonomous system. Routers on the same data link should use the same authentication type and password over that link; otherwise, they cannot form neighbor relationships.

Why Use OSPF Clear Text Authentication?

Hackers can find out the simple password used in this type of authentication easily. All they need is physical access to the network so they can use particular networking and spying tools to intercept OSPF packets. In this way, they can form false neighbor relationships with legitimate routers and inject false routing data into the OSPF routing domain. Therefore, OSPF plain text authentication compared to the MD5 and HMAC-SHA cryptographic methods is the least secure method to authenticate OSPF packets. However, even though it offers less security, it is still better than nothing and it consumes fewer CPU cycles than the cryptographic methods.

How Does OSPF Plain Text Authentication work?

When OSPF clear-text authentication is active on a particular interface, the authentication type (Autype) field, in the header of OSPF packets sent over that interface, gets assigned 1 (see exhibits 1 and 2). In addition, the router assigns the simple password applied to the interface to the 64-bit authentication key field. Finally, OSPF calculates the checksum field using the entire content of the OSPF packet without taking into account the authentication key field.

Open Shortest Path First
    OSPF Header
        Version: 2
        Message Type: Hello Packet (1)
        Packet Length: 44
        Source OSPF Router: 10.0.12.2
        Area ID: 0.0.0.0 (Backbone)
        Checksum: 0xd69b [correct]
        Auth Type: Simple password (1)
        Auth Data (Simple): cisco


omitted output

Exhibit 1 – OSPF header captured with Wireshark and illustrating OSPF simple password authentication

R2# debug ip ospf packet 
OSPF packet debugging is on
R2#
R2#
*Jun  7 16:30:34.365: OSPF-1 PAK  : Gi0/1: OUT: 10.0.12.2->224.0.0.5: ver:2 type:1 len:44 rid:10.0.12.2 area:0.0.0.0 chksum:C099 auth:1

*Jun  7 16:30:43.618: OSPF-1 PAK  : Gi0/1: OUT: 10.0.12.2->224.0.0.5: ver:2 type:1 len:44 rid:10.0.12.2 area:0.0.0.0 chksum:C099 auth:1



omitted output

Exhibit 2 – Debug ip ospf packet command output

OSPF Plain Text Authentication Vs OSPF MD5 and HMAC-SHA Cryptographic Authentication Methods

When you activate OSPFv2 plain text authentication on a data link, routers insert the shared password into the OSPF header of the packets sent over the link. In addition, when a router receives an OSPF packet, it reads the authentication data field and checks it matches the shared password. If there is no match, the packet gets discarded.

Cryptographic authentication methods based on MD5 or HMAC-SHA algorithms set the authentication data field to a hash string calculated from a shared password. In this way, the password is kept secret between neighbors on the same data link and does not get included in OSPF packets. Therefore, hackers (malicious users) have no way to uncover the authentication key, which improves the security of OSPF traffic between neighbor routers.

How to configure OSPF Plain Text Authentication on Cisco IOS

Configuring OSPF Clear Text Authentication

Cisco IOS allows network engineers to enable OSPF plain text authentication both on a per-area and per-interface basis. However, the authentication password can be configured only on a per-interface basis. This gives you the flexibility to use more than one clear-text password to secure OSPF packets as they get exchanged between neighbors.

To set up OSPF plain text authentication per area on Cisco IOS, follow these steps:

  • Step 1. Select an OSPF process using the router ospf command.
  • Step 2. Issue the area area-id authentication command, where area-id is the ID of the area on which you want to secure OSPF packets.
  • Step 3. Under each interface in the area, issue the ip ospf authentication-key pwd command, where pwd is the string the router should include in each OSPF packet sent over the interface, and the key used to authenticate OSPF packet received on that interface.

Moreover, here are the steps to configure the same authentication type on a particular interface:

  • Step 1. Issue the ip ospf authentication command in interface configuration mode to instruct the router to secure OSPF traffic over the interface using the simple password authentication method.
  • Step 2. In the same configuration mode, issue the ip ospf authentication-key pwd command, where pwd is the clear text password that is to be inserted in the header of each OSPF packet sent over the interface and used to authenticate OSPF traffic received on the same interface.

The ip ospf authentication-key command accepts spaces but ignores those at the beginning of the password. The authentication key should not exceed 8 characters and can include any ASCII symbol, including the question mark “?”. If you enter more than 8 characters, Cisco IOS considers the first eight characters as the password and ignores the remaining ones (Exhibits 3 and 4).

R2(config)# interface gigabitEthernet 0/1  
R2(config-if)# ip ospf authentication-key cisco123456789
% OSPF: Warning: The password/key will be truncated to 8 characters

Exhibit 3 – Setting a clear-text password with more than eight characters on Cisco IOS

OSPF Header
    Version: 2
    Message Type: Hello Packet (1)
    Packet Length: 44
    Source OSPF Router: 10.0.12.2
    Area ID: 0.0.0.0 (Backbone)
    Checksum: 0xd69b [correct]
    Auth Type: Simple password (1)
    Auth Data (Simple): cisco123

Exhibit 4 – OSPF header including password cisco123 instead of cisco123456789

As a side note, configuring OSPF MD5 authentication on Cisco IOS is similar to setting up the clear text one; you only need to replace the area authentication, ip ospf authentication, and ip ospf authentication-key commands by area authentication message-digest, ip ospf authentication message-digest, and ip ospf message-digest-key md5, respectively.

At this point, let’s configure OSPF on the network in Figure 1, and enable clear text authentication in area 0 using password cisco.

OSPF Plain/Clear Text Authentication: Definition, Configuration, and Troubleshooting

Figure 1 – Network diagram of the OSPF autonomous system used in this tutorial

Router R1

Router(config)# hostname R1
R1(config)# interface gigabitEthernet 0/2
R1(config-if)# ip address 10.0.12.1 255.255.255.0
R1(config-if)# ip ospf network point-to-point 
R1(config-if)# no shutdown 
R1(config-if)# interface gigabitEthernet 0/3     
R1(config-if)# ip address 10.0.13.1 255.255.255.0
R1(config-if)# ip ospf network point-to-point 
R1(config-if)# no shutdown                       
R1(config-if)# exit 
R1(config)# router ospf 1
R1(config-router)# network 0.0.0.0 255.255.255.255 area 0
R1(config-router)# area 0 authentication 
R1(config-router)# exit 
R1(config)# interface gigabitEthernet 0/2
R1(config-if)# ip ospf authentication-key cisco
R1(config-if)# interface gigabitEthernet 0/3   
R1(config-if)# ip ospf authentication-key cisco

Router R2

Router(config)# hostname R2
R2(config)# interface gigabitEthernet 0/1
R2(config-if)# ip address 10.0.12.2 255.255.255.0
R2(config-if)# ip ospf network point-to-point 
R2(config-if)# ip ospf authentication
R2(config-if)# ip ospf authentication-key cisco
R2(config-if)# no shutdown 
R2(config-if)# exit 
R2(config)# router ospf 1
R2(config-router)# network 10.0.12.2 0.0.0.0 area 0

Router R3

Router(config)# hostname R3
R3(config)# interface gigabitEthernet 0/1
R3(config-if)# ip address 10.0.13.3 255.255.255.0
R3(config-if)# ip ospf network point-to-point 
R3(config-if)# ip ospf authentication
R3(config-if)# ip ospf authentication-key cisco
R3(config-if)# no shutdown 
R3(config-if)# exit 
R3(config)# router ospf 1
R3(config-router)# network 10.0.13.3 0.0.0.0 area 0

We used two different approaches to implement OSPF clear text authentication on the network. On routers R2 and R3, we enabled the authentication method on the interface level only, while we activate it globally in area 0 on router R1.

OSPF Area Authentication vs Interface Authentication

OSPF area and interface authentications are simple to configure. However, when you have lots of interfaces to enable OSPF authentication on, enabling authentication of each of them becomes a tedious task. Instead, you will need to activate OSPF authentication per area. Conversely, when you have a few links to enable plain text authentication on them, OSPF area authentication becomes a bad idea, and you would configure authentication on each interface since following the other approach leads to using OSPF Null authentication on a larger number of interfaces.

Encrypting OSPF Clear Text Passwords

By default, Cisco IOS does not encrypt passwords when it stores them in RAM (Exhibit 5), and thus, anyone with physical access to the router or looking at the running-configuration file’s content can easily know OSPF authentication keys configured on the router.

R1# show running-config interface gigabitEthernet 0/2
Building configuration...

Current configuration : 190 bytes
!
interface GigabitEthernet0/2
 ip address 10.0.12.1 255.255.255.0
 ip ospf authentication-key cisco
 ip ospf network point-to-point
 shutdown
 duplex auto
 speed auto
 media-type rj45
end

Exhibit 5 – OSPF simple password stored as clear text in RAM

To circumvent this issue, you can issue the service password-encryption command in global configuration mode, as shown below. OSPF will still insert the authentication key as clear text in the OSPF header. In fact, the service password-encryption command does not affect how OSPF operates, it just encrypts all clear text passwords stored in the running-configuration file.

R1(config)# service password-encryption

Now, the OSPF authentication password is saved as encrypted text in RAM (Exhibit 6).

R1# show running-config interface gigabitEthernet 0/2
Building configuration...

Current configuration : 199 bytes
!
interface GigabitEthernet0/2
 ip address 10.0.12.1 255.255.255.0
 ip ospf authentication-key 7 1511021F0725
 ip ospf network point-to-point
 shutdown
 duplex auto
 speed auto
 media-type rj45
end

Exhibit 6 – OSPF simple password stored as encrypted text in RAM

How to verify OSPF Plain Text Authentication on Cisco IOS?

On Cisco IOS, you can use the show ip ospf and show ip ospf interface commands to troubleshoot and verify OSPF authentication whether it is plain text, MD5, or HMAC-SHA-based. The show ip ospf command tells what type of authentication is applied to each area, while the show ip ospf interface indicates the authentication method attached to each interface.

R1# show ip ospf
 Routing Process "ospf 1" with ID 10.0.13.1
 Start time: 00:15:44.050, Time elapsed: 00:25:02.151
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 Supports NSSA (compatible with RFC 3101)
 Supports Database Exchange Summary List Optimization (RFC 5243)
 Event-log enabled, Maximum number of events: 1000, Mode: cyclic
 Router is not originating router-LSAs with maximum metric
 Initial SPF schedule delay 5000 msecs
 Minimum hold time between two consecutive SPFs 10000 msecs
 Maximum wait time between two consecutive SPFs 10000 msecs
 Incremental-SPF disabled
 Minimum LSA interval 5 secs
 Minimum LSA arrival 1000 msecs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 EXCHANGE/LOADING adjacency limit: initial 300, process maximum 300
 Number of external LSA 0. Checksum Sum 0x000000
 Number of opaque AS LSA 0. Checksum Sum 0x000000
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 0
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
 Number of areas transit capable is 0
 External flood list length 0
 IETF NSF helper support enabled
 Cisco NSF helper support enabled
 Reference bandwidth unit is 100 mbps
    Area BACKBONE(0)
        Number of interfaces in this area is 2
        Area has simple password authentication
        SPF algorithm last executed 00:07:16.692 ago
        SPF algorithm executed 2 times
        Area ranges are
        Number of LSA 3. Checksum Sum 0x015D35
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

Exhibit 7 – OSPF plain text authentication applied to area 0

R1# show ip ospf interface gigabitEthernet 0/2
GigabitEthernet0/2 is up, line protocol is up 
  Internet Address 10.0.12.1/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 10.0.13.1, Network Type POINT_TO_POINT, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:01
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 10.0.12.2
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled

Exhibit 8 – OSPF clear text authentication applied to interface GigabitEthernet 0/2

OSPF Simple Password Authentication Alternatives

OSPF plain text authentication is not the more secure way to detect unauthorized OSPF traffic. In fact, you can either use MD5 or HMAC-SHA authentication methods, which protect OSPF packets from being corrupted. OSPF MD5 and HMAC-SHA are easy to configure and they do not consume a high volume of CPU cycles.

Related Lessons to OSPF Plain Text Authentication

Conclusion

I hope this blog post helps you learn something.
Now I’d like to turn it over to you:
What did you like about this tutorial?
Or maybe you have an excellent idea that you think I need to add.
Either way, let me know by leaving a comment below right now.

Mohamed Ouamer
Mohamed Ouamer is a computer science teacher and a self-published author. He taught networking technologies and programming for more than fifteen years. While he loves to share knowledge and write, Mohamed's best passions include spending time with his family, visiting his parents, and learning new things.