Menu
Get a Quote
Let's Chat

An Engineer's Guide to Configuring OSPF Authentication

by Hunter Gorman, on Nov 12, 2020 1:45:00 PM

Decision making from the highest level executive suite down to the business-grade router in your further branch location is important. The ability to make strong decisions requires full understanding of what needs to be accomplished, analyze past reports and future opportunities, and overall effectiveness. Today, we won't be discussing what it takes to make strong decisions in business meetings, but a routing information protocol that exists on enterprise networks, builds routing tables, and makes routing decisions.

Protocol Basics

As a link state protocol, Open Shortest Path First (OSPF) was developed as an open standard for routing IP across large multi-vendor networks. When the OSPF-enabled router starts, it sends hello packets to all directly connected OSPF routers. These packets contain information, such as router timers, router ID, and subnet mask, and once agreed on they become neighbors. As neighbors, they establish adjacencies by exchanging link state databases.

It also sends link state advertisements to all connected neighbors of the same area to communicate route information. Routing information learned from peers is used to determine the next hop towards the destination. To route traffic correctly and most effective, prevention of malicious or incorrect routing information from getting introduced into the routing table is a vital. Achieving the correct and most effective traffic route is done by authenticating the routing updates exchanged between routers. OSPF supports Clear Text and Message Digest 5 (MD5) authentications. Two of the most common authentications when working with business-grade routers. 

Build Your Router Quote from PivIT Global

Today, we will dive into configuring these authentications as well as looking at verification commands. OSPF can be configured to authenticate every OSPF message. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a "Denial-of-Service" attack. Three types of OSPF can be configured:

  • Null Authentication: No authentication. Default on all Cisco routers,
  • Clear Text Authentication: Passwords are exchanged in clear text on the network,
  • MD5 Authentication: A cryptographic method using the open stand Message Digest type 5 (MD5) encryption.

A Virtual Lab for You to Test

Before we get into the OSPF configurations, you may be wondering if OSPF is the best option for your network. If you have a small to medium sized network, a distance-vector protocol may be the right protocol. Other configurations we've set up for you are: EIGRP, On-Demand Routing and RIP

In virtual environment, we have built four labs targeted specifically to various tests, networks, and skills before you put anything in place in your network. You have the opportunity to dive into OSPF along with other protocols such as, EIGRP, BGP, RIP, etc. We have a CCNA Routing specific lab along with a CCNP DMVPN lab.

Learn more about each lab here: CCIE MPLS Lab, CCNA Routing Lab, CCNP DMVPN Lab,CCNP/CCIE Route and Switch Lab, and now an ACE-A Practice Lab for Arista.

Clear Text Authentication Configurations

Clear Text Authentication is utilized when devices within an area cannot support MD5 Authentication. When Clear Text is configured, it leaves the internetwork vulnerable to a "sniffer attack" — where packets are captured by a protocol analyzer and the passwords can be identified. When security is your highest priority, you guessed it, this is NOT your go-to configuration. However, it is useful when you perform OSPF reconfiguration. For example, separate passwords can be used on older and newer OSPF routers that share a common broadcast network to prevent them from talking to each other. 

clear text authentication configuration commands from pivit global

clear text 2 authentication configuration commands from pivit global

MD5 Authentication Configuration

MD5 authentication provides higher security than plain text authentication. This method uses the MD5 algorithm to compute a hash value from the contents of the OSPF packet and a password (or key). The hash value is transmitted in the packet, along with a key ID and a non-decreasing sequence number. The receiver, which knows the same password, calculates its own hash value. If nothing in the message changes, the hash value of the receiver should match the hash value of the sender which is transmitted with the message.

The key ID allows the routers to reference multiple passwords. This makes password migration easier and more secure. For example, to migrate from one password to another, configure a password under a different key ID and remove the first key. The sequence number prevents replay attacks where OSPF packets are captured, modified, and retransmitted to a router. As with plain text authentication, MD5 authentication passwords do not have to be the same throughout an area. However, they do need to be the same between neighbors.

md5 authentication configuration commands from pivit global

md5 authentication 2 configuration commands from pivit global

Verification Commands

To confirm your configurations work properly, certain show commands are supported by the Output Interpreter Tool allowing you to view an analysis of show command output.

Clear Text Verification

R1-2503# show ip ospf interface serial0
Serial0 is up, line protocol is up
Internet Address 192.16.64.1/24, Area 0
Process ID 10, Router ID 172.16.10.36, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

 

MD5 Verification

R1-2503# show ip ospf interface serial0
Serial0 is up, line protocol is up
Internet Address 192.16.64.1/24, Area 0
Process ID 10, Router ID 172.16.10.36 , Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 70.70.70.70
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

Whether you are in the executive suite making decision for the company or purchasing the next router for your network, an understanding of what needs to be accomplished, analyze past reports and future opportunities, and overall strategy effectiveness is necessary. Let the OSPF Protocol go to work for you to make effective routing decisions.

Here at PivIT Global we want to help you find the right infrastructure and right information to best set your business up for success. We have a team ready to answer any questions or to chat more on configuring OSPF! Need to get in touch quicker than a phone call? No worries, leave a quick comment below.

Topics:Network ProtocolsRouting ProtocolsOSPF

Comments

Tech Corner

Thanks for checking out the Tech Corner! Here you'll find deep product knowledge, guides, comparisons and more. Search for something specific, take a look around & start a conversation with other readers by commenting on posts!

New Discussions Each Week!