OSPF Authentication Password and MD5 Explained

OSPF supports authentication. If authentication is enabled, it securely exchanges routing information. There are three types of OSPF authentication: none, simple, and MD5. The none method uses no authentication. It is the default method. It is also called Type 0 authentication.

The simple authentication method uses a password. Routers send the password in clear text over the network. It is also known as Type 1 authentication. The MD5 method uses an algorithm to authenticate routers. It does not exchange passwords over the network. It is known as Type 2 authentication. Among these types, it is the most secure authentication method.

OSPF authentication example

Create a practice lab and assign IP configuration, as shown in the following image.

packet tracer lab for ospf authentication

Download Packet Tracer LAB with IP configuration

Enabling/Configuring Type 0 OSPF authentication

Type 0 OSPF authentication uses the null (none) value for authentication. It is the default authentication method. It does not need any additional configuration. When we configure OSPF, OSPF automatically enables and uses it for authentication.

The following commands configure OSPF on R1.

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#network 192.168.1.0 0.0.0.255 area 0
Router(config-router)#network 192.168.3.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#exit
Router#

configure ospf auth type 0 on r1

The following commands configure OSPF on R2.

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#network 192.168.1.0 0.0.0.255 area 0
Router(config-router)#network 192.168.2.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#exit
Router#

configure ospf auth type 0 on r2

The following commands configure OSPF on R3.

Router>enable
Router#configure terminal
Router(config)#router ospf 1
Router(config-router)#network 192.168.2.0 0.0.0.255 area 0
Router(config-router)#network 192.168.3.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#exit
Router#

configure ospf auth type 0 on r3

Download Packet Tracer LAB with Type 0 OSPF authentication

Verifying Type 0 OSPF authentication

We can verify Type 0 OSPF authentication by viewing the configuration on OSPF running interfaces. The 'show ip ospf interface' command shows the OSPF configuration on all interfaces running an OSPF process.

The following image shows the output of this command on R1.

verify ospf auth type 0 on r1

As the above output shows, OSPF interfaces are running without authentication. They will build neighborship and exchange routing information. We can use the 'show ip route ospf' and 'show ip ospf neighbor' commands to verify OSPF neighborship and routing information exchange.

The following image shows the output of these commands on R1.

verify ospf auth type 0 on r1

Enabling/Configuring Type 1 OSPF authentication

Type 1 OSPF authentication uses passwords to authenticate routers. To enable Type 1 password authentication, we use the following two commands:

  • area area-id authentication (Run this command under router ospf [process-id])
  • ip ospf authentication-key key (Run this command under the specific interface)

The first command enables Type 1 authentication. The second command configures a password. When we configure authentication, we must configure an entire area with the same type of authentication. However, we can configure a separate password on interfaces. Interfaces having direct connectivity must use the same password.

ospf password auth

The following command enables Type 1 OSPF authentication and configure passwords on R1.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf authentication-key cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf authentication-key ccna
Router(config-if)#exit
Router(config)#

configure type 1 auth on r1

The following command enables Type 1 OSPF authentication and configure passwords on R2.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf authentication-key cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf authentication-key ccnp
Router(config-if)#exit
Router(config)#

configure type 1 auth on r2

The following command enables Type 1 OSPF authentication and configure passwords on R3.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf authentication-key ccnp
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf authentication-key ccna
Router(config-if)#exit
Router(config)#

configure type 1 auth on r3

Download Packet Tracer LAB with 1 OSPF authentication

Verifying Type 1 OSPF authentication

We use the 'show ip ospf interface' command to view the OSPF configuration on all interfaces running an OSPF process. The output of this command includes the type of authentication configured on the interface.

The following image shows the output of this command on R1.

verify auth type 1

We can also view the OSPF routes and neighbors to confirm the OSPF configuration.

verify auth type 1

You can use the same commands on R2 and R3 to verify OSPF authentication and configuration.

Enabling/Configuring Type 2 OSPF authentication

Type 1 authentication sends passwords in clear text over the network. An adversary can use a wire sniffer to capture packets from the network and then a protocol analyzer to read the passwords from the captured packets. OSPF supports Type 2 authentication to overcome this security issue.

Type 2 authentication uses the MD5 algorithm to compute a hash value from the outgoing OSPF packet's contents and the password configured on the interface. It transmits the hash value in the packet with a key ID and a non-decreasing sequence number.

The receiver, which knows the same password, calculates its hash value and compares it with the hash value stored inside the packet. If the packet is intact, both hash values match. If both hash values do not match, it indicates the packet has tempered in the middle. The receiver does not process the tempered packet.

The following commands enable Type 2 OSPF authentication.

  • area area-id authentication message-digest ( Run this command under router ospf [process-id])
  • ip ospf message-digest-key key-id md5 password ( Run this command under the interface)

The key-id allows the routers to use multiple passwords. It makes changing passwords easy and secure. For example, we can configure the new password under a different key ID and remove the first key ID.

Same as Type 1, you can use different passwords on interfaces. However, the directly connected interfaces need the same password.

The following commands enable Type 2 OSPF authentication on R1.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication message-digest
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf message-digest-key 1 md5 cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf message-digest-key 3 md5 ccna
Router(config-if)#exit
Router(config)#

type 2 auth on r1

The following commands enable Type 2 OSPF authentication on R2.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication message-digest
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf message-digest-key 1 md5 cisco
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf message-digest-key 2 md5 ccnp
Router(config-if)#exit
Router(config)#

type 2 auth r2

The following commands enable Type 2 OSPF authentication on R3.

Router(config)#router ospf 1
Router(config-router)#area 0 authentication message-digest
Router(config-router)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ospf message-digest-key 2 md5 ccnp
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip ospf message-digest-key 3 md5 ccna
Router(config-if)#exit
Router(config)#

type 2 auth r3

Download Packet Tracer LAB with Type 2 OSPF authentication

Verifying Type 2 OSPF authentication

We can use the same commands to verify the Type 2 authentication we used for Type 1 authentication.

The following image shows the output of the 'show ip ospf interface' command on R2.

type 2 auth verify

The following image shows the output of the 'show ip route ospf' and 'show ip ospf neighbor' commands on R2.

type 2 auth verify

You can use the same commands on R1 and R3 to verify OSPF authentication.

Key points:-

  • OSPF supports three types of authentication: null, password, and MD5.
  • The null method is the default. It uses no password.
  • The password method exchanges passwords in clear text over the network.
  • The MD5 method exchanges a hash value generated by the MD5 algorithm over the network.
  • We must configure the same type of authentication under the same OSPF area.
  • We can use different passwords on interfaces.
  • Directly connected interfaces must use the same password.

ComputerNetworkingNotes CCNA Study Guide OSPF Authentication Password and MD5 Explained