Open Shortest Path First (OSPF) authentication secures neighbor relationships by ensuring that only trusted routers exchange routing information. Authentication is configured in two steps: specifying the authentication type and defining the authentication key. This post covers OSPF authentication types, configuration methods for Cisco IOS/IOS XE and IOS XR, key chain usage, virtual link authentication, and verification commands.

Authentication Types

OSPF supports the following authentication types, identified in the OSPF common header:

1. Null (Type 0):

   • No authentication (default).

   • Packets are sent without authentication checks.

2. Simple Password (Type 1):

   • Uses a clear-text password included in OSPF packets.

   • Less secure due to unencrypted transmission.

3. Message Digest (MD5, Type 2):

   • Uses MD5 cryptographic hashing with a key ID and password.

   • Provides stronger security through encrypted authentication.

Note: The authentication type is specified in the OSPF common header, which is always present, defaulting to Null (Type 0) unless configured otherwise.

Configuration Steps

OSPF authentication is configured in two steps:

1. Specify Authentication Type:

   • Configured at the area level (applies to all interfaces in the area) or interface level (overrides area configuration).

2. Define Authentication Key:

   • Configured per interface or via a key chains

Authentication Type Configuration

IOS/IOS XE

• Area-Level Configuration:

R1(config)# router ospf 1
R1(config-router)# area 0 authentication null
R1(config-router)# area 0 authentication
R1(config-router)# area 0 authentication message-digest

• • null: Disables authentication (Type 0).

  • authentication: Enables clear-text authentication (Type 1).

  • authentication message-digest: Enables MD5 authentication (Type 2).
    

• Interface-Level Configuration (overrides area configuration):

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip ospf authentication null
R1(config-if)# ip ospf authentication
R1(config-if)# ip ospf authentication message-digest

Priority: Interface-level authentication settings take precedence over area-level settings. For example, if Area 0 is configured for clear-text authentication but an interface in Area 0 is set to MD5, the interface uses MD5, while other interfaces in the area use clear-text.

IOS XR

• Process-Level Configuration (applies to all areas):

XR(config)# router ospf 1
XR(config-ospf)# authentication null
XR(config-ospf)# authentication
XR(config-ospf)# authentication message-digest
XR(config-ospf)# commit

• Area-Level Configuration:

XR(config)# router ospf 1
XR(config-ospf)# area 0
XR(config-ospf-ar)# authentication null
XR(config-ospf-ar)# authentication
XR(config-ospf-ar)# authentication message-digest
XR(config-ospf-ar)# commit

• Interface-Level Configuration (overrides process or area):

XR(config)# router ospf 1
XR(config-ospf)# area 0
XR(config-ospf-ar)# interface GigabitEthernet0/0/0/0
XR(config-ospf-ar-if)# authentication null
XR(config-ospf-ar-if)# authentication
XR(config-ospf-ar-if)# authentication message-digest
XR(config-ospf-ar-if)# commit

Priority: Interface-level settings override area-level settings, which override process-level settings.

Authentication Key Configuration

IOS/IOS XE

• Clear-Text Key (Type 1):

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip ospf authentication-key 0 TestPass

• • The 0 specifies the password is entered in clear text.

  • Omitting 0 may cause compatibility issues (e.g., Cisco IOS may interpret the password as encrypted, leading to mismatches).
    

• MD5 Key (Type 2):

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip ospf message-digest-key 1 md5 0 TestPass

• • 1 is the key ID, which must match between neighbors.

  • 0 indicates clear-text password input; 7 indicates encrypted input (Type 7 encryption).

  • Example with encrypted password:

R1(config-if)# ip ospf message-digest-key 1 md5 7 <encrypted-password>

IOS XR

• Clear-Text Key (Type 1):

XR(config)# router ospf 1
XR(config-ospf)# area 0
XR(config-ospf-ar)# interface GigabitEthernet0/0/0/0
XR(config-ospf-ar-if)# authentication-key TestPass
XR(config-ospf-ar-if)# commit

• MD5 Key:

XR(config)# router ospf 1
XR(config-ospf)# area 0
XR(config-ospf-ar)# interface GigabitEthernet0/0/0/0
XR(config-ospf-ar-if)# message-digest-key 1 md5 TestPass
XR(config-ospf-ar-if)# commit

Key Chain Configuration

Newer IOS versions (15.x and later) support key chains for OSPF authentication.

IOS/IOS XE

R1(config)# key chain OSPF_AUTH
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string TestPass
R1(config-keychain-key)# cryptographic-algorithm hmac-sha-256
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip ospf authentication key-chain OSPF_AUTH

• Key ID: Must match between neighbors.

• Algorithm: Options include MD5, HMAC-SHA-1, HMAC-SHA-256, etc., depending on IOS version.

• Advantages: Key chains support key rotation and stronger cryptographic algorithms compared to traditional MD5.

IOS XR

XR(config)# key chain OSPF_AUTH
XR(config-keychain)# key 1
XR(config-keychain-key)# key-string TestPass
XR(config-keychain-key)# cryptographic-algorithm hmac-sha-256
XR(config)# router ospf 1
XR(config-ospf)# area 0
XR(config-ospf-ar)# interface GigabitEthernet0/0/0/0
XR(config-ospf-ar-if)# authentication key-chain OSPF_AUTH
XR(config-ospf-ar-if)# commit

Virtual Link Authentication

Virtual links are virtual interfaces in Area 0, used to connect discontiguous areas to the backbone or extend Area 0 across a transit area (more about virtual links in separate note). By default, virtual links inherit the authentication settings of Area 0.

Configuration

Virtual link authentication configuration overrides Area 0 settings and is configured with the transit area ID and the remote router’s Router ID.

IOS/IOS XE

• Authentication Type:

R1(config)# router ospf 1
R1(config-router)# area 1 virtual-link 2.2.2.2 authentication null
R1(config-router)# area 1 virtual-link 2.2.2.2 authentication
R1(config-router)# area 1 virtual-link 2.2.2.2 authentication message-digest

• Authentication Key:

R1(config-router)# area 1 virtual-link 2.2.2.2 authentication-key TestPass
R1(config-router)# area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 TestPass

• Combined Command:

R1(config-router)# area 1 virtual-link 2.2.2.2 authentication authentication-key TestPass
R1(config-router)# area 1 virtual-link 2.2.2.2 authentication message-digest message-digest-key 1 md5 TestPass

IOS XR

• Authentication Type and Key:

XR(config)# router ospf 1
XR(config-ospf)# area 1
XR(config-ospf-ar)# virtual-link 2.2.2.2
XR(config-ospf-ar-vl)# authentication null
XR(config-ospf-ar-vl)# authentication
XR(config-ospf-ar-vl)# authentication message-digest
XR(config-ospf-ar-vl)# authentication-key INE
XR(config-ospf-ar-vl)# message-digest-key 1 md5 INE
XR(config-ospf-ar-vl)# commit

Note: Virtual link authentication settings take precedence over Area 0 settings, allowing customized authentication for specific virtual links.

Verification Commands

To confirm OSPF authentication configuration and troubleshoot issues, use the following commands:

IOS/IOS XE

• Interface Details:

R1# show ip ospf interface [type number]

• • Displays authentication type and key settings for the interface.
    

• OSPF Process Details:

R1# show ip ospf

• • Shows area-level authentication settings and summary information.
    

• Running Configuration:

R1# show running-config | section ospf

• • Displays OSPF and interface authentication configurations.
    

• Debug Authentication Issues (use with caution in production):

R1# debug ip ospf packet
R1# debug ip ospf adj

• • debug ip ospf packet: Shows packet-level details, including authentication mismatches.

  • debug ip ospf adj: Displays adjacency formation issues, such as key or type mismatches.

IOS XR

• Equivalent commands:

XR# show ospf interface [type number]
XR# show ospf
XR# show running-config router ospf
XR# debug ospf packet
XR# debug ospf adj

Key Considerations

1. Interface Priority: Interface-level authentication settings override area-level settings, which override process-level settings (IOS XR only).

2. Password Format: For clear-text authentication in IOS/IOS XE, always use 0 to specify clear-text input to avoid mismatches (e.g., ip ospf authentication-key 0 TestPass).

3. MD5 Key ID: The key ID must match between neighbors for MD5 authentication to succeed.

4. Type Mismatch: If authentication types mismatch between neighbors (e.g., clear-text vs. MD5), the adjacency will fail, even if keys are not yet configured.

5. Virtual Links: Virtual links inherit Area 0 authentication unless explicitly overridden.

6. Troubleshooting: Authentication mismatches are a common cause of adjacency failures. Use debug ip ospf adj to identify issues like key ID or password mismatches.

Leave a comment