Configuring OSPF Authentication 241
The command to implement a stub or totally stubby NSSA ABR is
Router(config-router)# aa
aa
rr
rr
ee
ee
aa
aa
area-id
nn
nn
ss
ss
ss
ss
aa
aa
[nn
nn
oo
oo
--
--
ss
ss
uu
uu
mm
mm
mm
mm
aa
aa
rr
rr
yy
yy
]
All internal routers in an NSSA must recognize the NSSA area. This can be done with the area
nssa command:
Router(config-router)# aa
aa
rr
rr
ee
ee
aa
aa
area-id
nn
nn
ss
ss
ss
ss
aa
aa
Troubleshooting
There are several useful show commands for looking at stub areas:
■ show ip ospf
■ show ip route
■ show ip ospf database
■ show ip ospf database nssa-external
When troubleshooting, show ip protocols provides an overview of active routing and is a good
place to start. The show ip ospf command displays common OSPF parameters, while show ip
route shows the current routing table so that the current routing may be analyzed.
The database commands are useful in particular areas once you identify the problem as pertaining
to OSPF. These commands allow you to examine the routes in the topological database. Inter-area
and external routes offer a clue about the effectiveness of stub area settings.
Configuring OSPF Authentication
An attacker who could forge OSPF packets could force routes along paths that are easier to
intercept, could deny service, or could make forged websites appear to exist at the real IP
addresses. OSPF, by default, trusts all OSPF speakers and is susceptible to forged traffic.
As the network became more dangerous, authentication was developed for OSPF. Authentication
allows neighbors to identify themselves as legitimate through a shared secret. There are three
authentication modes:
■ null (no authentication)
■ plaintext password
■ Message Digest (MD5) hash
The following sections describe the plaintext password and MD5 hash authentication methods.
242 Chapter 8: OSPF Advanced Topics
Plaintext Password Authentication
Password authentication provides little security. Any attacker with access to the medium can
capture traffic and easily read the password. Nevertheless, it is presented here as an easy way to
introduce the topic before considering the more appropriate method: MD5.
OSPF authentication is configured on an interface. At an interface configuration prompt, a key is
set with the ip ospf authentication command:
Router(config-if)# ii
ii
pp
pp
oo
oo
ss
ss
pp
pp
ff
ff
aa
aa
uu
uu
tt
tt
hh
hh
ee
ee
nn
nn
tt
tt
ii
ii
cc
cc
aa
aa
tt
tt
ii
ii
oo
oo
nn
nn
--
--
kk
kk
ee
ee
yy
yy
password
Other routers connected through this interface should share this password. Next, enable
authentication with the following command:
Router(config-if)# ii
ii
pp
pp
oo
oo
ss
ss
pp
pp
ff
ff
aa
aa
uu
uu
tt
tt
hh
hh
ee
ee
nn
nn
tt
tt
ii
ii
cc
cc
aa
aa
tt
tt
ii
ii
oo
oo
nn
nn
Message Digest Authentication
MD5 hash authentication provides good security, ensuring that received messages can be trusted
because they come from a source that knows the shared secret.
To configure OSPF MD5 authentication, first set a key. A key number is used in combination
with the password to create a hash. The key is also useful when changing passwords, because more
than one key may be active at a time. Other routers connected through this interface should share
this password and key number. Use the following command syntax:
Router(config-if)# ii
ii
pp
pp
oo
oo
ss
ss
pp
pp
ff
ff
mm
mm
ee
ee
ss
ss
ss
ss
aa
aa
gg
gg
ee
ee
--
--
dd
dd
ii
ii
gg
gg
ee
ee
ss
ss
tt
tt
--
--
kk
kk
ee
ee
yy
yy
key
mm
mm
dd
dd
55
55
password
Next, enable authentication using the message-digest keyword:
Router(config-if)# ii
ii
pp
pp
oo
oo
ss
ss
pp
pp
ff
ff
aa
aa
uu
uu
tt
tt
hh
hh
ee
ee
nn
nn
tt
tt
ii
ii
cc
cc
aa
aa
tt
tt
ii
ii
oo
oo
nn
nn
mm
mm
ee
ee
ss
ss
ss
ss
aa
aa
gg
gg
ee
ee
--
--
dd
dd
ii
ii
gg
gg
ee
ee
ss
ss
tt
tt
Example 8-6 shows a configuration for a router that is set up for MD5 authentication.
NOTE Prior to Cisco IOS Software version 12.0, authentication was set per-area. All routers
in a given area had to share a password. This was less flexible than the newer interface-based
shared secret.
Example 8-6 Hash-Based OSPF Authentication
Interface fastethernet0/0
ip address 10.0.0.1 255.255.255.0
ip ospf message-digest-key 1 md5 mi5kgbcia
ip ospf authentication message-digest
Configuring OSPF Authentication 243
To verify that authentication is taking place, look at show ip ospf neighbor and verify that
neighbors have become completely adjacent. The show ip ospf interface command also yields
useful information about authentication.
The debug ip ospf adjacency command shows the status of authentication; it shows the progress
from DOWN state to full state and—like show ip ospf neighbor—authentication success must
be inferred. Unlike success, failure to authenticate is clearly shown using this command.
If two routers disagree over whether to use plaintext or MD5, the router will display an
authentication type mismatch, as follows:
*Dec 03 17:52:17.527: OSPF: Rcv pkt from 10.0.0.1, Fastethernet0/0: Mismatch
Authentication type. Input packet specified type 0, we use type 1
If the routers disagree over the password, the router shows a key mismatch:
*Dec 03 17:55:13.044: OSPF: Rcv pkt from 10.0.0.1, Fastethernet0/0: Mismatch
Authentication Key – Clear Text
Get CCNP BSCI Official Exam Certification Guide, Fourth Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
