OSPF MD5 Authentication: Securing OSPF

Tasks

● Configure OSPF on routers R1, R2, and R3.

● The link between R1 and R3 should be in OSPF area 0.

● The link between R2 and R3, and R3's link to the Test PC, should be in OSPF area 1.

● Advertise the routers' Loopback networks into OSPF.

● Authenticate the OSPF exchange between R1 and R3 using the clear-text string CLEARKEY.

● Authenticate the OSPF exchange between R2 and R3 using an MD5 hash of the string MD5HASH.

● R1 and R2 should enable authentication at the interface level, and R3 should enable authentication globally under the OSPF process.

● Ensure that R3 does not have authentication enabled on its VLAN11 interface.

Please note, you need to have a basic understanding of what is ospf and how does it work before begin to perform the configuration of various ospf authentication types. 

Initial Configurations

Configure the devices R1, R2, R3 and SW as per the logical topology. In case you like to perform the same practical in your own lab, you can download the initial configurations of these devices as follows. Note: Enable password is "cisco" in the initial configurations. 

R1

R2

R3

SW1

OSPF Diagram

Configurations and Verifications

Before moving to the OSPF configuration, first configure the Test PC IP address and hostname. TestPC IP address is being received by R3 as DHCP server is configured on R3 for this segment to TestPC. In this case 10.1.0.100/24 is the IP assigned by DHCP on TestPC.

Now check the IP connectivity (Layer 3) to R1, R2 and Test PC from R3.

R1:

R2:

R3:

At packet level, the following are the OSPF authentication types

1# OSPF Type 0 or NULL or no Authentication

2# OSPF Type 1 Clear text Authentication

3# OSPF Type 3 MD5 Authentication

Similar to OSPF, BGP also supports MD5 authentication between its peers. 

OSPF authentication is configured in two distinct steps:

1. Enable authentication (clear-text or MD5) at the interface level or global level.

2. Configure the string used for authentication, as well as the key number only for MD5 authentication.

The common confusion with OSPF authentication comes from the fact that the first of these steps, enabling the authentication, can be done in two ways: at the interface level and under the global OSPF process. When OSPF authentication is enabled under the global process, it applies to all interfaces in that area. In this particular example, R3 has the commands area 0 authentication and area 1 authentication message-digest configured under the OSPF process. This means that all interfaces in area 0 run clear-text authentication, and all interfaces in area 1 run MD5 authentication. 

When you enable OSPF authentication at the interface level, it tends to override the configuration of the global process, but only for that particular interface. For example, while R3 has the command area 0 authentication configured under the global process, the command ip ospf authentication message-digest or ip ospf authentication null configured on an interface in area 0 would override the global clear-text authentication configuration.

Regardless how OSPF authentication is enabled, either under the global process or at the interface level, the packet format for the authentication remains the same. This means that the difference in configuration is only cosmetic, because both configurations have the same result.

The authentication key, however, is always configured at the interface level. For clear text authentication, this is the ip ospf authentication-key command, whereas for MD5 authentication, this is the ip ospf message-digest-key command. Note that just like RIP and EIGRP, the MD5 key number must match between the neighbors, because it is a salt for the MD5 hash.

OSPF authentication, like EIGRP authentication, can be verified simply based on the fact that an adjacency has formed, as seen below:

The specific authentication configuration can be verified as seen below.

If authentication has been enabled at the global level, it can be determined by using the command show ip ospf :

Failures in OSPF authentication can be verified as a failure to establish adjacency. The below process-level debug (its a troubleshooting step) shows a mismatch in authentication type, where R3 has MD5 authentication configured to R1, and R1 has clear-text authentication configured to R3. 

Please note while OSPF supports different authentication type, in BGP authentication methods it supports only MD5 type. It is the safest methods among all.  

Note: Apply on R3 configure the simple ospf authentication to restore the neibhorship between R1 and R3. Otherwise, you can just reload R3 because you have not yet saved this configuration. 

A mismatch in the password between two neighbors (or hash in the case of MD5) will result in a different output in this debug, as seen below on R2:

Note: Reload R2 to restore the ospf adjutancy because you have not yet saved the above configuration.