16.3 OSPF Authentication Configuration

OSPFv2 supports two authentication methods: MD5 and plaintext/simple.

The authentication type signals no authentication (0), plaintext authentication (1), or MD5-based authentication (2). The hash is included in the authentication field and is based on the hash of the key and the packet message body.

Configuring plaintext authentication in OSPFv2:

Assign the key to the interface, and enable authentication at either the interface level or in the OSPFv2 routing process.

Note: make sure the service password-encryption is enabled or the plaintext key will be stored in plain text.

Configuring OSPFv2 MD5 authentication:

The key also requires a key ID (in this case, 1). The key ID is sent with the key; if more than one key ID/key is specified, the router sends multiple copies of the packet with authentication by each of the keys. This allows for rollover of the keys, where older keys will not be used once the router detects the other system has adopted the new key.

OSPFv3 Details:

OSPFv3 uses IPsec for authentication and encryption of the router updates. It uses AH (authentication header) for the authentication and ESP (encapsulated security protocol) for encryption.
A security policy must be identified on the router, including the key and an SPI value.
Authentication headers are removed from the OSPFv3 protocol. It uses the native IPsec mechanisms inherent in the IPv6 extension headers instead.
You can configure authentication alone using the ipv6 ospf authentication command, or with ESP using the ipv6 ospf encryption command (whose syntax contains the authentication key configuration).

To configure per area, simply replace the interface command syntax ipv6 ospf with area <area#> under the routing process. The remaining syntax remains the same.

To validate IPsec security associations, use the show crypto ipsec sa interface <interface> command.

Related