To prevent unauthorized or invalid routing updates in your network, Open Shortest Path First version 2 (OSPFv2) protocol packets must be authenticated.
There are two methods of authentication that are defined for OSPFv2: plain text authentication and cryptographic authentication. This module describes how to configure cryptographic authentication using the Hashed Message Authentication Code - Secure Hash Algorithm (HMAC-SHA). OSPFv2 specification (RFC 2328) allows only the Message-Digest 5 (MD5) algorithm for cryptographic authentication. However, RFC 5709 (OSPFv2 HMAC-SHA Cryptographic Authentication) allows OSPFv2 to use HMAC-SHA algorithms for cryptographic authentication.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for OSPFv2 Cryptographic Authentication
Ensure that Open Shortest Path First version 2 (OSPFv2) is configured on your network.
Information About OSPFv2 Cryptographic Authentication
The OSPFv2 Cryptographic Authentication feature allows you to configure a key chain on the OSPF interface to authenticate OSPFv2 packets by using HMAC-SHA algorithms. You can use an existing key chain that is being used by another protocol, or you can create a key chain specifically for OSPFv2.
A key chain is a list of keys. Each key consists of a key string, which is also called the password or passcode. A key-string is essential for a key to be operational. Each key is identified by a unique key ID. To authenticate the OSPFv2 packets, it is essential that the cryptographic authentication algorithm be configured with a key. OSPFv2 supports keys with key IDs ranging from 1 to 255. The combination of the cryptographic authentication algorithm and the key is known as a Security Association (SA).
The authentication key on a key chain is valid for a specific time period called lifetime. An SA has the following configurable lifetimes:
While adding a new key, the Send lifetime is set to a time in the future so that the same key can be configured on all devices in the network before the new key becomes operational. Old keys are removed only after the new key is operational on all devices in the network. When packets are received, the key ID is used to fetch the data for that key. The packet is verified using the cryptographic authentication algorithm and the configured key ID. If the key ID is not found, the packet is dropped.
Use the ip ospf authentication key-chain command to configure key chains for OSPFv2 cryptographic authentication.
If OSPFv2 is configured to use a key chain, all MD5 keys that were previously configured using the ip ospf message-digest-key command are ignored.
How to Configure OSPFv2 Cryptographic Authentication
The table below describes the significant fields in the output:
Table 1 show ip ospf interface Field Descriptions
Status of the configured key.
The time interval within which the device accepts the key during key exchange with another device.
The time interval within which the device sends the key during a key exchange with another device.
Example: Defining Authentication on an Interface
The following example shows how to define authentication on Gigabit Ethernet interface 0/0/0:
Device# configure terminal
Device(config)# interface GigabitEthernet0/0/0
Device (config-if)# ip ospf authentication key-chain sample1
Device (config-if)# end
Example: Verifying Authentication on an Interface
The following sample output of the show ip ospf interface command displays the cryptographic key information:
Device# show ip ospf interface GigabitEthernet0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 192.168.8.2/24, Area 1, Attached via Interface Enable
Process ID 1, Router ID 10.1.1.8, Network Type BROADCAST, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 10.1.1.8, Interface address 192.168.8.2
Backup Designated router (ID) 10.1.1.9, Interface address 192.168.8.9
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Can be protected by per-prefix Loop-Free FastReroute
Can be used for per-prefix Loop-Free FastReroute repair paths
Index 1/1, flood queue length 0
Last flood scan length is 0, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.1.1.9 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Sending SA: Key 25, Algorithm HMAC-SHA-256 – key chain sample1
The table below describes the significant fields in the output:
Table 2 show ip ospf interface Field Descriptions
Status of the physical link and operational status of the protocol.
Interface IP address, subnet mask, and area address.
OSPF process ID.
Administrative cost assigned to the interface.
MTR topology Multitopology Identifier (MTID) is a number assigned so that the protocol can identify the topology associated with information that it sends to its peers.
Transmit delay (in seconds), interface state, and router priority.
Operational state of the interface.
Designated router ID and respective interface IP address.
Backup Designated router
Backup designated router ID and respective interface IP address.
Timer intervals configured
Configuration of timer intervals.
Count of network neighbors and list of adjacent neighbors.
Status of cryptographic authentication.
Status of the sending SA (Security Association). Key, cryptographic algorithm, and key chain used.
Additional References for OSPFv2 Cryptographic Authentication
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for OSPFv2 Cryptographic Authentication
Table 3 Feature Information for OSPFv2 Cryptographic Authentication
OSPFv2 Cryptographic Authentication
The OSPFv2 Cryptographic Authentication feature prevents unauthorized or invalid routing updates in your network by authenticating Open Shortest Path First version 2 (OSPFv2) protocol packets using HMAC-SHA algorithms.
The following command was modified: ip ospf authentication.