The OSPFv2 Cryptographic Authentication feature allows you to configure a key chain on the OSPF interface to authenticate
OSPFv2 packets by using HMAC-SHA algorithms. You can use an existing key chain that is being used by another protocol,
or you can create a key chain specifically for OSPFv2.
A key chain is a list of keys. Each key consists of a key string, which is also called the password or passcode. A key-string
is essential for a key to be operational. Each key is identified by a unique key ID. To authenticate the OSPFv2 packets, it
is essential that the cryptographic authentication algorithm be configured with a key. OSPFv2 supports keys with key IDs
ranging from 1 to 255. The combination of the cryptographic authentication algorithm and the key is known as a Security
The authentication key on a key chain is valid for a specific time period called lifetime. An SA has the following configurable
While adding a new key, the Send lifetime is set to a time in the future so that the same key can be configured on all devices
in the network before the new key becomes operational. Old keys are removed only after the new key is operational on all devices
in the network. When packets are received, the key ID is used to fetch the data for that key. The packet is verified using
the cryptographic authentication algorithm and the configured key ID. If the key ID is not found, the packet is dropped.
When key chain has more than one key, OSPF selects the key that has the maximum life time. Key having an infinite lifetime
is preferred. If keys have the same lifetime, then key with the higher key ID is preferred.
Use the ip ospf authentication key-chain command to configure key chains for OSPFv2 cryptographic authentication.
If OSPFv2 is configured to use a key chain, all MD5 keys that were previously configured using the ip ospf message-digest-key command are ignored.