OSPF Authentication

Hello everyone and welcome to Network Playroom! In this video, we're going to talk about OSPF authentication. OSPF authentication is used to securely exchange routing information. In other words, it is used to prevent unauthorized or invalid routing updates in your network. OSPF supports three types of authentication. OSPF authentication can either be null (Type 0), clear text authentication (Type 1), or cryptographic authentication (Type 2). There are essentially two ways to configure authentication: at the area level or the interface level but in both cases the password must still be individually configured between the neighbors on the interface. If the authentication type is configured at both area and interface level, the interface level configuration overrides the area level configuration. The authentication method "null" means that no authentication is used for OSPF and it is the default method. This is OSPF authentication Type 0. OSPF authentication Type 1 is clear text authentication, also referred to as simple authentication.. With simple authentication, the password goes in clear-text over the network. This is not secure! You could easily capture the password from the packet exchange with a packet analyzer. See: https://www.cloudshark.org/captures/000cc3765a2a Configuration Example: Clear Text Authentication router ospf 1 area 0 authentication ! interface GigabitEthernet0/1 ip ospf authentication ip ospf authentication-key SIMPLE OSPF authentication Type 2 is MD5 authentication. With MD5 authentication, the password does not actually pass over the network. What is sent is a hash, which is checked by the receiver. In short, for each OSPF protocol packet, the key is used to generate/verify a "message digest" that is appended to the end of the OSPF packet. The message digest is a one-way function of the OSPF protocol packet and the secret key. So basically, if both routers have the same information, you should be able to produce the same hash, which would guarantee the integrity of the message content. For successful MD5 authentication, the authentication type, the password, and the key ID must match. MD5 is not actually a very secure hash according to modern standards. The security of the MD5 hash function is severely compromised and various attacks against the algorithm exist. SHA provides better security. Configuration Example: MD5 Authentication router ospf 1 area 0 authentication message-digest-key ! interface GigabitEthernet0/1 ip ospf authentication message-digest ip ospf message-digest key 1 md5 MD5KEY The final authentication type is SHA authentication, which is also Type 2. Originally, OSPF only supported MD5 authentication but RFC 5709 allows OSPFv2 to use SHA algorithms for cryptographic authentication. With the addition of SHA to Type 2 authentication, this is now called a "Cryptographic Authentication" for both MD5 and SHA. One important thing to note is that, so far, IOS does not allow you to enable SHA authentication at the area level, only at the interface level. To configure SHA authentication, you first need to define the key ID and key string by using a key-chain and then apply the key-chain at the interface. Configuration Example: SHA Authentication key chain OSPF key 1 key-string SHAKEY cryptographic-algorithm hmac-sha-256 ! interface GigabitEthernet0/1 ip ospf authentication key-chain OSPF Thank you for watching!