OSPF: OSPF authentication
OSPF can authenticate every OSPF message. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a Denial-of-Service attack.
Two types of authentication can be used:
1. clear text authentication – clear text passwords are used
2. MD5 authentication – MD5 authentication is used. This type of authentication of more secure.
1. clear text authentication – clear text passwords are used
2. MD5 authentication – MD5 authentication is used. This type of authentication of more secure.
NOTE – with OSPF authentication turned on, routers must pass the authentication process in order to become OSPF neighbors
To configure clear text authentication, the following steps are required:
1. configure the OSPF password on the interface by using the ip ospf authentication-key PASSWORD interface command
2. configure the interface to use OSPF clear-text authentication by using the ip ospf authentication interface command
1. configure the OSPF password on the interface by using the ip ospf authentication-key PASSWORD interface command
2. configure the interface to use OSPF clear-text authentication by using the ip ospf authentication interface command
In the following example, we will configure OSPF clear-text authentication.
Both routers are running OSPF. On R1, we need to enter the following commands:
The same commands have to be entered on R2:
To verify that clear-text authentication is indeed turned on, we can use the show ip ospf interface INTERFACE_NUMBER/INTERFACE_TYPE command on either router:
Configuring OSPF MD5 authentication is very similar to configuring clear-text authentication. Two commands are also used:
1. First you need to configure the MD5 value on an interface by using the ip ospf message-digest-key 1 md5 VALUE interface command
2. Next, you need to configure the interface to use MD5 authentication by using the ip ospf authentication message-digest interface command
2. Next, you need to configure the interface to use MD5 authentication by using the ip ospf authentication message-digest interface command
Here is an example configuration on R1:
You can verify that R1 is using OSPF MD5 authentication by typing the show ip ospf INTERFACE/INTERFACE_TYPE command:
TIP – OSPF authentication type can also be enabled on an area basis, instead of configuring OSPF authentication type per interface basis. This is done by using the area AREA_ID authentication [message-digest] command under the OSPF configuration mode. If you omit the message-digest keyword, a clear-text authentication will be used for that area. All interfaces inside the area will use OSPF authentication.