Thursday, June 24, 2010

OSPF Authentication

OSPF can use MD5 or clear text authentication, as well as per area or per interface. Authentication is pretty simple so this should be a short post.

In my example, I will use Fa0/0 as the area facing interface, and secret as my key. I used OSPF process 150... because it was a nice number.

First we have a clear text example. We go into our fa0/0 interface, set the key and area. Then we go into our ospf process and tell all of area 0 to use "authentication" which just means clear text here. Do this on each router and you are set to go.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip ospf authentication-key secret
R1(config-if)#ip ospf 150 area 0
R1(config-if)#
R1(config-if)#
R1(config-if)#router ospf 150
R1(config-router)#area 0 authentication

Now we have nearly the same config but using an md5 (message digest version 5) key. Go into the interface and this time use the message-digest-key, give the key a number, say md5, and enter secret as our key.

**A useful thing to note, notice this is key 1. If our security policy said we needed to change keys every 90 days, we could create key 2 on all our routers, wait a minute and the routers will detect that they all have a newer matching key and start using it, then we can eliminate key one without ever losing a connection. If we just changed key 1, no matter how fast we could type, the neighbor adjacency would have to be re-established meaning our routing would be down momentarily.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip ospf message-digest-key 1 md5 secret
R1(config-if)#ip ospf 150 area 0
R1(config-if)#
R1(config-if)#
R1(config-if)#router ospf 150
R1(config-router)#area 0 authentication message-digest

Finally, instead of setting authentication up for the whole area, we can set it individually on interfaces. Perhaps you only have two routers with an interface each that you want to authenticate because you have a switch between them that a malicious/misconfigured router could plug into and join your OSPF domain. We simply go into the interface and turn on authentication, choose a password, and join the area.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 1 md5 secret
R1(config-if)#ip ospf 150 area 0

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)