OSPF Authentication Password and MD5

Explained
OSPF supports authentication. If authentication is enabled, it securely exchanges routing
information. There are three types of OSPF authentication: none, simple, and MD5.
The none method uses no authentication. It is the default method. It is also called Type
0 authentication.

The simple authentication method uses a password. Routers send the password in clear
text over the network. It is also known as Type 1 authentication. The MD5 method uses
an algorithm to authenticate routers. It does not exchange passwords over the network.
It is known as Type 2 authentication. Among these types, it is the most secure
authentication method.

OSPF authentication example

Create a practice lab and assign IP configuration, as shown in the following image.

Enabling/Configuring Type 0 OSPF authentication

Type 0 OSPF authentication uses the null (none) value for authentication. It is the default
authentication method. It does not need any additional configuration. When we configure
OSPF, OSPF automatically enables and uses it for authentication.

The following commands configure OSPF on R1.

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#network 192.168.1.0 0.0.0.255 area 0
Router(config-router)#network 192.168.3.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#exit
Router#

The following commands configure OSPF on R2.

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#network 192.168.1.0 0.0.0.255 area 0
Router(config-router)#network 192.168.2.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#exit
Router#
The following commands configure OSPF on R3.

Router>enable
Router#configure terminal
Router(config)#router ospf 1
Router(config-router)#network 192.168.2.0 0.0.0.255 area 0
Router(config-router)#network 192.168.3.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#exit
Router#

Verifying Type 0 OSPF authentication

We can verify Type 0 OSPF authentication by viewing the configuration on OSPF running
interfaces. The 'show ip ospf interface' command shows the OSPF configuration on all
interfaces running an OSPF process.

The following image shows the output of this command on R1.

As the above output shows, OSPF interfaces are running without authentication. They
will build neighborship and exchange routing information. We can use the 'show ip route
ospf' and 'show ip ospf neighbor' commands to verify OSPF neighborship and routing
information exchange.

The following image shows the output of these commands on R1.

Enabling/Configuring Type 1 OSPF authentication

Type 1 OSPF authentication uses passwords to authenticate routers. To enable Type 1

password authentication, we use the following two commands:

• area area-id authentication (Run this command under router ospf [process-id])
• ip ospf authentication-key key (Run this command under the specific interface)

The first command enables Type 1 authentication. The second command configures a
password. When we configure authentication, we must configure an entire area with the
same type of authentication. However, we can configure a separate password on
interfaces. Interfaces having direct connectivity must use the same password.

The following command enables Type 1 OSPF authentication and configure passwords
on R1.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf authentication-key cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf authentication-key ccna
Router(config-if)#exit
Router(config)#
The following command enables Type 1 OSPF authentication and configure passwords
on R2.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf authentication-key cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf authentication-key ccnp
Router(config-if)#exit
Router(config)#
The following command enables Type 1 OSPF authentication and configure passwords
on R3.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf authentication-key ccnp
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf authentication-key ccna
Router(config-if)#exit
Router(config)#
Verifying Type 1 OSPF authentication

We use the 'show ip ospf interface' command to view the OSPF configuration on all
interfaces running an OSPF process. The output of this command includes the type of
authentication configured on the interface.

The following image shows the output of this command on R1.

We can also view the OSPF routes and neighbors to confirm the OSPF configuration.

You can use the same commands on R2 and R3 to verify OSPF authentication and
configuration.

Enabling/Configuring Type 2 OSPF authentication

Type 1 authentication sends passwords in clear text over the network. An adversary can
use a wire sniffer to capture packets from the network and then a protocol analyzer to
read the passwords from the captured packets. OSPF supports Type 2 authentication to
overcome this security issue.

Type 2 authentication uses the MD5 algorithm to compute a hash value from the outgoing
OSPF packet's contents and the password configured on the interface. It transmits the
hash value in the packet with a key ID and a non-decreasing sequence number.

The receiver, which knows the same password, calculates its hash value and compares
it with the hash value stored inside the packet. If the packet is intact, both hash values
match. If both hash values do not match, it indicates the packet has tempered in the
middle. The receiver does not process the tempered packet.

The following commands enable Type 2 OSPF authentication.

• area area-id authentication message-digest ( Run this command under router

ospf [process-id])
• ip ospf message-digest-key key-id md5 password ( Run this command under
the interface)

The key-id allows the routers to use multiple passwords. It makes changing passwords
easy and secure. For example, we can configure the new password under a different key
ID and remove the first key ID.

Same as Type 1, you can use different passwords on interfaces. However, the directly
connected interfaces need the same password.
The following commands enable Type 2 OSPF authentication on R1.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication message-digest
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf message-digest-key 1 md5 cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf message-digest-key 3 md5 ccna
Router(config-if)#exit
Router(config)#

The following commands enable Type 2 OSPF authentication on R2.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication message-digest
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf message-digest-key 1 md5 cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf message-digest-key 2 md5 ccnp
Router(config-if)#exit
Router(config)#
The following commands enable Type 2 OSPF authentication on R3.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication message-digest
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf message-digest-key 2 md5 ccnp
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf message-digest-key 3 md5 ccna
Router(config-if)#exit
Router(config)#
Verifying Type 2 OSPF authentication

We can use the same commands to verify the Type 2 authentication we used for Type 1
authentication.

The following image shows the output of the 'show ip ospf interface' command on R2.
The following image shows the output of the 'show ip route ospf' and 'show ip ospf
neighbor' commands on R2.

You can use the same commands on R1 and R3 to verify OSPF authentication.

Key points:-
• OSPF supports three types of authentication: null, password, and MD5.
• The null method is the default. It uses no password.
• The password method exchanges passwords in clear text over the network.
• The MD5 method exchanges a hash value generated by the MD5 algorithm over
the network.
• We must configure the same type of authentication under the same OSPF area.
• We can use different passwords on interfaces.
• Directly connected interfaces must use the same password.