Previous section   Next section

Recipe 8.9 Enabling OSPF Authentication

8.9.1 Problem

You want to authenticate your OSPF neighbor relationships to ensure that no unauthorized equipment is allowed to affect routing.

8.9.2 Solution

To enable OSPF MD5 authentication, you need to define the encryption key, which is essentially just a password on an interface. You must also enable authentication for the entire area. For the first router, you could do this as follows:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface Serial0/1
Router1(config-if)#ip ospf message-digest-key 1 md5 oreilly
Router1(config-if)#exit
Router1(config)#router ospf 55
Router1(config-router)#area 2 authentication message-digest
Router1(config-router)#end
Router1#

Similarly, you must enable OSPF authentication on other routers in the area, making sure that the authentication keys match on all interfaces that share the same network segment:

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#interface Serial0/0
Router2(config-if)#ip ospf message-digest-key 1 md5 oreilly
Router2(config-if)#exit
Router2(config)#router ospf 12
Router2(config-router)#area 2 authentication message-digest 
Router2(config-router)#end
Router2#

8.9.3 Discussion

RFC 2328, which defines OSPF Version 2, includes three different types of authentication for OSPF: null authentication, simple password authentication, and cryptographic authentication. Null authentication simply means that there is no authentication, which is the default on Cisco routers. In the simple password method of authentication, passwords are exchanged in clear-text on the network. Even the RFC that specifies this method points out that it is easily compromised. Anybody who wants to deliberately corrupt your routing tables needs to have direct access to your network to do so anyway. Having that access means that it is relatively easy to capture these passwords. We recommend that you use the cryptographic authentication method if you require authentication with OSPF.

The cryptographic method uses the open standard Message Digest Type 5 (MD5) encryption standard. MD5 is a one-way irreversible cipher. Two devices exchange only the MD5 encrypted versions of the password. Both devices know the same password, and each router is able to verify that the encrypted password that it receives is correct by using the same algorithm to encrypt the password that it already knows. To make sure that nobody can just intercept and use the encrypted version of the password directly, a time value that the receiving router also knows is added to the password before encrypting. Anybody else listening on the network is only able to see the encrypted version of the password, but they cannot deduce the original password.

Unfortunately, the RFC is not completely clear on how this time value should be added to the original pass phrase, nor does it mandate MD5 encryption. So there is a good chance that cryptographic authentication will not work well between routers from different vendors.

If you use authentication in an OSPF area, you must configure all of the routers in the area to support authentication. Every interface on a router doesn't have to be configured with authentication. But if you require authentication in any part of an area, you must include authentication support throughout the area. In the above example, this is done for Area 2 with the following command:

Router2(config-router)#area 2 authentication message-digest

The show ip ospf interface command shows that we have configured authentication on this interface:

Router2#show ip ospf interface Serial0/0
Serial0/0 is up, line protocol is up 
  Internet Address 10.1.1.1/30, Area 2 
  Process ID 12, Router ID 192.168.30.1, Network Type POINT_TO_POINT, Cost: 130
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:06
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 172.25.25.1
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1
Router2#

Note that we are using "Message digest authentication," (meaning MD5) and that key number 1 is currently active.

You can use a different key on each of a router's interfaces, or a single password throughout the entire network. All that matters is that all of the routers on a single network segment use the same OSPF key for the interfaces that share this segment. The problem with using too many different keys is that it can become rather difficult to manage.

You can also configure several keys on a single interface. We recommend using this as a transition method while changing keys, and the old keys should be removed quickly to prevent anybody from gaining access using an old key:

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#interface Serial0/0
Router2(config-if)#ip ospf message-digest-key 1 md5 oreilly
Router2(config-if)#ip ospf message-digest-key 2 md5 cookbook
Router2(config-if)#end
Router2#

In this case we have defined two keys, which have key numbers 1 and 2, respectively:

Router2#show ip ospf interface Serial0/0
Serial0/0 is up, line protocol is up 
  Internet Address 10.1.1.1/30, Area 2 
  Process ID 12, Router ID 192.168.30.1, Network Type POINT_TO_POINT, Cost: 130
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:03
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 172.25.25.1
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 2
    Rollover in progress, 1 neighbor(s) using the old key(s):
      key id 1
Router2#

This display indicates that key number 2 is the newest, and that one neighbor is still using the old key. This command is useful when you want to see if it is safe to remove the old key yet.

Looking at the router's configuration file, you can see that these keys are stored in plain-text by default:

interface Serial0/0
 ip address 10.1.1.1 255.255.255.252
 ip ospf message-digest-key 1 md5 oreilly
 ip ospf message-digest-key 2 md5 cookbook

If you define the password encryption service on the router, it will store these keys using the weak Cisco type 7 encryption method:

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#service password-encryption
Router2(config)#end

As we discussed in Chapter 2, this causes the router to store passwords in an encrypted form when you view the configuration file. However, this encryption method can easily be broken if somebody gains access to the router. It is still useful, though, to prevent somebody from getting the passwords by looking over your shoulder.

If you want to use authentication, but the neighboring devices don't support MD5, use clear-text authentication:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface Serial0/1
Router1(config-if)#ip ospf authentication-key oreilly
Router1(config-if)#exit
Router1(config)#router ospf 55
Router1(config-router)#area 2 authentication
Router1(config-router)#end
Router1#

As with MD5 authentication, if you configure clear-text authentication on an interface, you must configure the same authentication method and the same key on all other routers that share this segment:

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#interface Serial0/0
Router2(config-if)#ip ospf authentication-key oreilly
Router2(config-if)#exit
Router2(config)#router ospf 12
Router2(config-router)#area 2 authentication
Router2(config-router)#end
Router2#

The output of the show ip ospf interface command now indicates the alternative authentication method:

Router2#show ip ospf interface Serial0/0
Serial0/0 is up, line protocol is up 
  Internet Address 10.1.1.1/30, Area 2 
  Process ID 12, Router ID 192.168.30.1, Network Type POINT_TO_POINT, Cost: 130
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:07
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 172.25.25.1
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled
Router2#

8.9.4 See Also

Chapter 2


  Previous section   Next section
Top