Chapter 13. Configuring Bridging and Data Link Switching Plus

OSPF Authentication

OSPF uses two forms of authentication, Type I and Type II. Both forms are fairly easy and straightforward to configure. When configuring passwords, do not enter an encryption type for the password on the interface. Instead, use the global command service password-encryption to enable all password protection after all the configuration is complete.

Type 1 Authentication

Type 1 authentication is clear-text authentication. If a sniffer is placed on a network, the password still can be captured, so this is less secure than Type 2. To configure Type 1 authentication, follow this two-step process:

Step 1. Enable area authentication on all routers in that area. Use this router command:

 Router(config-route)  area   area_id   authentication  

Step 2. Enter the clear-text password on the interface. Use this interface command:

 Router(config-if)  ip ospf authentication-key   password.  

The passwords and authentication must match for all interfaces in that area, or adjacencies will not be formed .

Type 2 Authentication

Type 2 authentication is Message Digest 5 (MD5) cryptographic checksums. OSPF builds a hash value from the OSPF key and password. The hash is the only value sent across the link; no passwords are sent, making MD5 authentication secure. To configure Type 2 (MD5), authentication, follow this two-step process:

Step 1. Enable MD5 area authentication on all routers in that area. Use this router command:

 Router(config-route)  area   area_id   authentication message-digest  

Step 2. Set a key and password on a per-interface basis. Use this interface command:

 Router(config-if)  ip ospf message-digest-key   key_value   md5   password  

The key_value and password must match on all routers in that network. Different key values allow for quick changes of passwords and multiple passwords per area.

Type 1/Type 2 Authentication Example

Figure 12-12 shows a portion of a network in Area 10. Example 12-29 and Example 12-30 show Type 1 and Type 2 authentication options for OSPF in this network.

Example 12-29 Example 12-29 OSPF Type 1 Authentication on Area 10

  !   hostname peter   !   interface Ethernet0   ip address 172.16.100.8 255.255.255.0    ip ospf authentication-key cisco   Cisco is the password   !   router ospf 7   network 172.16.100.8 0.0.0.0 area 10    area 10 authentication   Type 1 authentication enabled in area 10  _______________________________________________________________________________  hostname mark   !   interface Ethernet0   ip address 172.16.100.6 255.255.255.0   no ip directed-broadcast   ip ospf authentication-key cisco   !   router ospf 7   router-id 192.168.250.6    area 10 authentication    network 172.16.6.0 0.0.0.255 area 10   network 172.16.100.6 0.0.0.0 area 10   !  

Example 12-30 is the same configuration for Figure 12-11 using MD5 authentication.

Example 12-30 OSPF Type 2 Authentication on Area 10

  !   hostname peter   !   interface Ethernet0   ip address 172.16.100.8 255.255.255.0    ip ospf message-digest-key 1 md5 cisco   Cisco is the password, key=1   !   router ospf 7   network 172.16.100.8 0.0.0.0 area 10    area 10 authentication message-digest   Type 2 authentication enabled in area 10  _______________________________________________________________________________  hostname mark   !   interface Ethernet0   ip address 172.16.100.6 255.255.255.0   no ip directed-broadcast    ip ospf message-digest-key 1 md5 cisco    !   router ospf 7   router-id 192.168.250.6    area 10 authentication message-digest    network 172.16.6.0 0.0.0.255 area 10   network 172.16.100.6 0.0.0.0 area 10   !