OSPF Authentication

OSPF provides for link security in the form of routing update authentication. OSPF packets can be authenticated so that routers can participate in routing domains based on predefined passwords. By default, a router uses a Null authentication, which means that routing exchanges over a network are not authenticated. Two other authentication methods exist:

• Simple password authentication Simple password authentication allows a password (key) to be configured per area. Routers in the same area that want to participate in the routing domain will have to be configured with the same key. The drawback of this method is that it is vulnerable to passive attacks. Anybody with a link analyzer could easily get the password off the wire.

• Message Digest authentication (MD-5) Message Digest authentication is a cryptographic authentication. A key (password) and key-id are configured on each router. The router uses an algorithm based on the OSPF packet, the key, and the key-id to generate a "message digest" that is appended to the packet. Unlike the simple authentication, the key is not exchanged over the wire. A non-decreasing sequence number also is included in each OSPF packet to protect against replay attacks.

• Replay attack protection Replay attacks are attacks in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary intercepting the data and retransmitting it, often as part of a masquerade attack against the enterprise network.