In-depth OSPF Authentication relationship

OSPF can authenticate interfaces, regions, and virtual links. The same authentication password must be configured between two vrouters for interface authentication. region authentication means that all interfaces in this region must be authenticated, because OSPF uses interfaces as the region boundary, the region authentication interface and the neighboring router must have the same authentication method and password, different network types in the same region can have different authentication methods and different passwords. interfaces configured for regional authentication can authenticate each other with interfaces configured for interface authentication, the MD5 authentication password ID must be the same. OSPF Authentication methods include NULL authentication, protocol field type 0, plaintext authentication, protocol field type 1, MD5 encryption verification, and Protocol field type 2 ｡

Interface authentication Configuration

Plaintext authentication

Wildlee (config-if) # ip ospf authentication

Wildlee (config-if) # ip ospf authentication-key passpord

MD5 authentication

Wildlee (config-if) # ip ospf authentication message-digest

Wildlee (config-if) # ip ospf message-digest-key-id md5 password

Region authentication Configuration

Plaintext authentication

Wildlee (config-router) # area-id authentication

Wildlee (config-if) # ip ospf authentication-key passpord

MD5 authentication

Wildlee (config-router) # area-id authentication message-digest

Wildlee (config-if) # ip ospf message-digest-key-id md5 password

MD5 authentication key replacement

The MD5 authentication method can be used to change the password when the authentication is valid. MD5-based authentication can be used to configure multiple passwords under the interface, the router sends multiple HELLO authentication messages with different key IDs on this interface link. When the two adjacent routers can authenticate each other using multiple passwords, this allows you to remove one of the passwords for authentication and change the password. MD5 authentication based on OSPF calculates a hash value based on the OSPF Packet content and password, the router that receives the packet also performs hash calculation on the OSPF Packet content and the configured password, authenticate by comparing the HASH value. The key ID field of the authentication packet for OSPF type 2 allows the router to set multiple passwords, and each key ID represents a password. The serial number field can prevent packet replay attacks ｡

Blog: http://www.wildlee.org/2012_01_2137.html