Saturday, May 14, 2011

OSPF Authentication

When we think about OSPF authentication, we have to think about negotiation between 2 routers:
  • The authentication method: it can be either clear text (type 1) or md5 (type 2). If the authentication method differs between 2 routers,  the neighbour relationship cannot be formed between these 2 routers, even if we set the authentication method without setting keys. Same case if one has authentication method enabled, while the other doesn't have.
  • The authentication key. Each key has an identifier and a value (alphanumeric). The router negotiate all of his keys, the same key number on both routers, must match the same value. Once there is one match, the authentication is successful.
Note that the authentication method type 0 means there is no authentication configured.
*May 14 10:38:57.843: OSPF: Rcv pkt from 192.168.253.5, FastEthernet1/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
OSPF Authentication method can be configured under interface configuration mode or router configuration mode. In both cases, the authentication process occurs per interface.
For example If I enter the command:
router ospf 1
area 0 authentication message-digest
This command lets the router enable md5 authentication on all interfaces that are in area 0.

Here is an example. The network is very simple. 3 routers connected to the same ethernet network with a network ID 192.168.253.0

Case1:
We will configure the authentication method on R3 to be type 1, and on R5 & R2 to be type 2

Router R5:
router ospf 1
log-adjacency-changes
network 192.168.253.5 0.0.0.0 area 0
interface FastEthernet0
ip address 192.168.253.5 255.255.255.0
ip ospf authentication message-digest
speed auto
end

Router R2:
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 192.168.253.2 0.0.0.0 area 0
interface FastEthernet1/0
ip address 192.168.253.2 255.255.255.0
duplex auto
speed auto
end

Router R3:
router ospf 1
log-adjacency-changes
network 192.168.253.3 0.0.0.0 area 0
interface FastEthernet0
ip address 192.168.253.3 255.255.255.0
ip ospf authentication
speed auto

As you see that in Router2, I configured the authentication method under the router configuration mode :
 area 0 authentication message-digest  ; Will enable authentication type 2 on all interfaces that are in area 0
While in R3 and R5, We configured the authentication method under the interface configuration mode:
ip ospf authentication ; will enable authentication type 1 on interface f0 (R3)
ip ospf authentication message-digest  ; will enable authentication type 2 on interface f0 (R5)

If we try to see the neighbour relationship on R3:
Router R3:
R3#show ip ospf neigh
R3#

This debug is on Router R5:
00:25:01: OSPF: Rcv pkt from 192.168.253.3, FastEthernet0 : Mismatch Authenticat ion type. Input packet specified type 1, we use type 2
00:25:05: OSPF: Send with youngest Key 0
00:25:11: OSPF: Rcv pkt from 192.168.253.3, FastEthernet0 : Mismatch Authentication type. Input packet specified type 1, we use type 2

Now if we change the authentication method on Router 3, the neighbour relationship will be successful:
R3:
int f0
ip ospf authentication message-digest



R3#show ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
192.168.253.5 1 FULL/DR 00:00:38 192.168.253.5 FastEthernet0
172.18.20.20 1 FULL/BDR 00:00:31 192.168.253.2 FastEthernet0
R3#
You can see the authentication type, by using the command: show ip ospf int
R2#show ip ospf int f1/0
FastEthernet1/0 is up, line protocol is up
Internet Address 192.168.253.2/24, Area 0
Process ID 1, Router ID 172.18.20.20, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.253.5, Interface address 192.168.253.5
Backup Designated router (ID) 172.18.20.20, Interface address 192.168.253.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.253.5 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
No key configured, using default key id 0

If you see that there is no key configured, it uses default key 0 ( which by default has no value).

Case2:
Now that authentication method negotiation was successful, let us configure the keys.
For a clear text authentication (method type 1), you can configure only 1 key:
int f0
ip ospf authentication-key blogkey
where blogkey is the alphanumeric key, this negotiation is simple, it is only 1 key that must have the same alphanumeric match.

For the md5 authentication ( method type 2), you can configure as many keys as you want. Each 2 routers will check their key-ids, when there is key-id match they will negotiate the alphanumeric key.
int f0
ip opsf message-digest-key 30 md5 blogmd5key

If no key-id was found in both routers, that has the same alphanumeric, then the negotiation will fail, and the neighbour relationship will not be established.

I hope this was helpful for ospf authentication. Please don't hesitate to write your comments or questions
You can follow our FTP services and solutions blog on http://www.ftp.services




                                                                                    

Blog Tags:  CCNP CCNA CCIP CCIE Boot Camp Bangalore India Shanghai China IT Jobs Network Engineer Dubai  IT Manager North America  System Administrator Doha

No comments:

Post a Comment