OSPF Authentication Password and MD5 Explained

OSPF supports authentication. If enabled, OSPF exchanges routing information only after successful authentication has occurred. There are three types of OSPF authentication: none, simple, and MD5. The none method uses no authentication. It is the default method. It is also called Type 0 authentication.

The simple authentication method uses a password for authentication. Routers send the password in clear text over the network. It is also known as Type 1 authentication. The MD5 method uses an algorithm to authenticate routers. It does not exchange passwords over the network. It is known as Type 2 authentication. Among these types, it is the most secure authentication method.

OSPF Authentication (Packet Tracer Example)

Create a practice lab and assign an IP configuration as shown in the following image.

Packet Tracer LAB for OSPF Authentication

Download the Packet Tracer lab with IP configuration.

Enabling Type 0 OSPF authentication

Type 0 OSPF authentication uses a null (none) value for authentication. It is the default authentication method. It does not need any configuration. OSPF automatically enables it when you configure OSPF and uses it for authentication. The following commands configure OSPF on R1.

Router>enable
Router#configure terminal
Router(config)#router ospf 1
Router(config-router)#network 192.168.1.0 0.0.0.255 area 0
Router(config-router)#network 192.168.3.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#exit
Router#

Configuring OSPF authentication type 0 on R1

The following commands configure OSPF on R2.

Router>enable
Router#configure terminal
Router(config)#router ospf 1
Router(config-router)#network 192.168.1.0 0.0.0.255 area 0
Router(config-router)#network 192.168.2.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#exit
Router#

Configuring OSPF authentication type 0 on R2

The following commands configure OSPF on R3.

Router>enable
Router#configure terminal
Router(config)#router ospf 1
Router(config-router)#network 192.168.2.0 0.0.0.255 area 0
Router(config-router)#network 192.168.3.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#exit
Router#

Configuring OSPF authentication type 0 on R1

Download Packet Tracer LAB with Type 0 OSPF authentication.

Verifying Type 0 OSPF authentication

You can verify Type 0 OSPF authentication by viewing the configuration on OSPF running interfaces. The 'show ip ospf interface' command shows the OSPF configuration on all interfaces running an OSPF process. The following image shows the output of this command on R1.

Verifying OSPF authentication type 0 on R1

As the above output shows, OSPF interfaces are running without authentication. They will build neighborship and exchange routing information. You can use the 'show ip route ospf' and 'show ip ospf neighbor' commands to verify OSPF neighborship and exchange of routing information. The following image shows the output of these commands on R1.

Verifying OSPF authentication type 0 on R1

Enabling Type 1 OSPF authentication

Type 1 uses passwords for authentication. To enable it, use the following two commands:

  • area area-id authentication (Run this command under router ospf [process-id])
  • ip ospf authentication-key key (Run this command under the specific interface)

The first command enables Type 1 authentication. The second command configures a password. Interfaces having direct connectivity must use the same password.

Configuring OSPF type 1 authentication

The following command enables Type 1 OSPF authentication and configures passwords on R1.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf authentication-key cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf authentication-key ccna
Router(config-if)#exit
Router(config)#

Configuring OSPF type 1 authentication on R1

The following command enables Type 1 OSPF authentication and configures passwords on R2.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf authentication-key cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf authentication-key ccnp
Router(config-if)#exit
Router(config)#

Configuring OSPF type 1 authentication on R2

The following command enables Type 1 OSPF authentication and configures passwords on R3.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf authentication-key ccnp
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf authentication-key ccna
Router(config-if)#exit
Router(config)#

Configuring OSPF type 1 authentication on R3

Download Packet Tracer LAB with 1 OSPF authentication.

Verifying Type 1 OSPF authentication

The 'show ip ospf interface' command displays the OSPF configuration on all interfaces running an OSPF process. The output of this command includes the type of authentication configured on the interfaces. The following image shows the output of this command on R1.

Verifying OSPF authentication type 1

You can also view the OSPF configuration to confirm the authentication.

Verifying OSPF authentication type 1

Use the same commands on R2 and R3 to verify OSPF authentication and configuration.

Enabling Type 2 OSPF authentication

Type 1 authentication sends passwords in clear text over the network. An adversary can use a wire sniffer to capture packets from the network and then a protocol analyzer to read the passwords from the captured packets. OSPF supports Type 2 authentication to overcome this security issue.

Type 2 authentication uses the MD5 algorithm to compute a hash value from the outgoing OSPF packet's contents and the password configured on the interface. It transmits the hash value in the packet with a key ID and a non-decreasing sequence number. The receiver, which knows the same password, calculates its hash value and compares it with the hash value stored inside the packet. If the packet is intact, both hash values match. If both hash values do not match, it indicates the packet has been tampered with in the middle. The receiver does not process the tempered packet. The following commands enable Type 2 OSPF authentication.

  • area area-id authentication message-digest (Run this command under router ospf [process-id])
  • ip ospf message-digest-key key-id md5 password (Run this command under the interface)

The key ID allows the routers to use multiple passwords. It makes changing passwords easy and secure. For example, you can configure the new password under a different key ID and remove the first key ID.

Same as Type 1, you can use different passwords on interfaces. However, the directly connected interfaces need the same password. The following commands enable Type 2 OSPF authentication on R1.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication message-digest
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf message-digest-key 1 md5 cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf message-digest-key 3 md5 ccna
Router(config-if)#exit
Router(config)#

Configuring Type 2 authentication on R1

The following commands enable Type 2 OSPF authentication on R2.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication message-digest
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf message-digest-key 1 md5 cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf message-digest-key 2 md5 ccnp
Router(config-if)#exit
Router(config)#

Configuring Type 2 authentication on R2

The following commands enable Type 2 OSPF authentication on R3.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication message-digest
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf message-digest-key 2 md5 ccnp
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf message-digest-key 3 md5 ccna
Router(config-if)#exit
Router(config)#

Configuring Type 2 authentication on R2

Download Packet Tracer LAB with Type 2 OSPF authentication.

Verifying Type 2 OSPF authentication

You can use the same commands to verify Type 2 authentication that you used to verify Type 1 authentication. The following image shows the output of the 'show ip ospf interface' command on R2.

Verifying Type 2 authentication on R2

The following image shows the output of the 'show ip route ospf' and 'show ip ospf neighbor' commands on R2.

Verifying Type 2 authentication on R2

Use the same commands on R1 and R3 to verify OSPF authentication.

Key points:-

  • OSPF supports three types of authentication: null, password, and MD5.
  • The null method is the default. It uses no password.
  • The password method exchanges passwords in clear text over the network.
  • The MD5 method exchanges a hash value generated by the MD5 algorithm over the network.
  • You must configure the same type of authentication under the same OSPF area.
  • You can use different passwords on different interfaces.
  • You must use the same password on the directly connected interfaces.

Conclusion

OSPF authentication is a critical component for ensuring secure communication between routers in a network. There are three types of OSPF authentications: none (Type 0), simple (Type 1), and MD5 (Type 2). Type 0 requires no authentication and is the default method. It poses security risks in environments where data integrity is crucial. Type 1 employs clear-text passwords. It provides basic authentication. It is vulnerable to interception. Type 2 (MD5) is the most secure option. It uses a cryptographic algorithm and avoids transmitting passwords over the network.

ComputerNetworkingNotes CCNA Study Guide OSPF Authentication Password and MD5 Explained

We do not accept any kind of Guest Post. Except Guest post submission, for any other query (such as adverting opportunity, product advertisement, feedback, suggestion, error reporting and technical issue) or simply just say to hello mail us ComputerNetworkingNotes@gmail.com