OSPF uses null authentication method by default, which means that no authentication and routing updates exchanged between neighbors are not authenticated. OSPF supports simple password (plain text) and Message Digest 5 (MD5) Cryptographic Checksum authentication methods. The OSPF MD5 authentication includes a non-decreasing cryptographic sequence number in every OSPF packet to protect against replay attacks. The message digest is appended to the end of an OSPF packet, and is not considered part of the packet itself.
Note: An OSPF router with the ip ospf authentication null interface subcommand configured on an interface would establish adjacency and exchange routing information with another OSPF router without the configuration (through the interface).
OSPF Simple Password Authentication Configuration
The ip ospf authentication-key {passwd} interface subcommand specifies a password to be used when performing OSPF simple password authentication with neighboring routers. A router would only accept a password as a continuous string up to 8 characters. It will display the "%OSPF: Warning: The password/key will be truncated to 8 characters" warning message when the password longer than 8 characters, and uses the first 8 characters. The password is inserted directly into the Authentication Data field of the OSPF header of all OSPF packets originated from the router. All neighboring routers reside on the same network must have the same password to establish adjacencies and exchange routing information. Different passwords can be assigned to different networks as this command works on a per-interface basis.
Note: The service password-encryption global configuration command would affect the appearance of the plain text password in the startup and running configuration files.
The ip ospf authentication [message-digest | null] interface subcommand specifies the authentication method for an interface. Implement this command without any parameter to enable simple password authentication. This command overrides the authentication method specified using the area {area-id} authentication [message-digest] router subcommand.
The debug ip ospf adj privileged command displays OSPF adjacency-related events and is useful for troubleshooting OSPF authentication. Note: This command does not display any OSPF authentication information but does display OSPF authentication failures if there are any. Below shows the debug messages for authentication type and authentication key mismatches.
XX:XX:XX: OSPF: Rcv pkt from 192.168.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 1 ====================================================================== XX:XX:XX: OSPF: Rcv pkt from 192.168.1.2, FastEthernet0/0 : Mismatch Authentication Key - Clear Text ====================================================================== XX:XX:XX: OSPF: Rcv pkt from 192.168.1.2, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1 ====================================================================== XX:XX:XX: OSPF: Rcv pkt from 192.168.1.2, FastEthernet0/0 : Mismatch Authentication Key - No message digest key 2 on interface
OSPF MD5 Cryptographic Checksum Authentication Configuration
The ip ospf message-digest-key {key-id} md5 {key} interface subcommand specifies a password to be used when performing OSPF MD5 authentication with neighboring routers. The key-id is an identifier in the range from 1 to 255; while the key is a continuous string up to 16 characters. The key-id and MD5 key are used to generate and verify a message digest (or hash) that is to be appended to the end of all OSPF packets. All neighboring routers reside on the same network must have the same set of key-id and MD5 key to establish adjacencies and exchange routing information. Different MD5 keys can be assigned to different networks as this command works on a per-interface basis.
Note: The service password-encryption global configuration command would affect the appearance of the MD5 key in the startup and running configuration files.
The cryptographic sequence number increases at a rate of 1 per second. The Cisco implementation of OSPF uses the UNIX epoch as the reference point, which defines the number of seconds elapsed since 1st Jan 1970 (UTC). www.epochconverter.com can be used to find out the exact time that an MD5-authenticated OSPF packet that has been generated by a Cisco router. The 32-bit cryptographic sequence number field will rollover on 6:28:15 7th Feb 2106 (UTC).
The key-id allows uninterrupted transitions between MD5 keys and therefore allows the changing of OSPF password without interrupting the OSPF adjacencies between routers. When an interface is configured with a new MD5 key, it would send multiple copies of the same OSPF packet with different MD5 keys. The router would stop sending duplicate packets when it received OSPF packets from neighbors that were authenticated using the new MD5 key and concluded that all its neighbors have adopted the new MD5 key when. Once all neighbors have been updated with the new MD5 key, the old MD5 key should be removed to prevent the router from communicating with hostile systems that knows the old MD5 key.
The show ip ospf interface [intf-type intf-num] EXEC command displays the OSPF authentication method configured for an interface.
Router#sh ip ospf int fa0/0 | in authentication Simple password authentication enabled Router#sh ip ospf int fa1/0 | in authentication Message digest authentication enabled
No comments:
Post a Comment