To prevent information leakage or malicious attacks to OSPF devices, all packet interaction between OSPF neighbors has the authentication capability. The authentication types include: NULL (no authentication), simple text authentication, MD5 authentication, SM3 authentication, and key-chain authentication.
If authentication is configured, an OSPF interface requires authentication before receiving OSPF protocol packets. The OSPF interface receives only packets that have passed authentication. Therefore, the OSPF interfaces through which neighbor relations are set up, their authentication modes, Key IDs, and authentication passwords must be the same.
An authentication mode and an authentication password are configured independently. If an authentication password has been configured but no authentication mode is configured, the authentication mode corresponding to the authentication password will be automatically configured.
An OSPF authentication mode can be configured on an area, interface, or interface address. The priorities that are sorted from low to high include: area authentication, interface authentication, and interface address authentication. That is, the interface address authentication is first used, and then the interface authentication, and finally the area authentication.
Configuration Condition
Before configuring OSPF authentication, ensure that:
- Interface IP addresses have been configured so that neighbor nodes are reachable at the network layer.
- Enable OSPF.
Configure OSPF Area Authentication
To validate OSPF area authentication, you must configure not only the area authentication mode but also the corresponding authentication password on the interface.
Table 7-10 Configuring OSPF Area Authentication
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode.
|
configure terminal
|
-
|
|
Enter the OSPF configuration mode.
|
router ospf process-id [ vrf vrf-name ]
|
-
|
|
Configure the area authentication mode.
|
area area-id authentication [ message-digest | key-chain]
|
Mandatory.
By default, area authentication is not configured.
The keyword message-digest in the command indicates MD5 authentication; the key word key-chain indicates the key-chain authentication; otherwise, plain text authentication is configured.
|
|
Enter the interface configuration mode.
|
interface interface-name
|
-
|
|
Configure a password for plain text authentication.
|
ip ospf [ ip-address ] authentication-key { 0 | 7 } password
|
Mandatory.
By default, no password is configured for plain text authentication.
|
|
Configure a password for MD5/SM3 authentication.
|
ip ospf [ ip-address ] message-digest-key key-id { md5 | sm3} { 0 | 7 } password
|
Mandatory.
By default, no password is configured for MD5/SM3
authentication.
|
|
Configure the key-chain authentication
|
ip ospf [ ip-address ] key-chain
key-chain name
|
Mandatory
By default, do not configure the key-chain authentication.
|
Configure OSPF Interface Authentication
If an OSPF interface has multiple IP addresses, you can set an authentication mode or authentication password for one IP address of the interface. If you do not specify an interface address, all addresses of the interface use the specified authentication mode or authentication password.
Table 7-11 Configuring OSPF Interface Authentication
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode.
|
configure terminal
|
-
|
|
Enter the interface configuration mode.
|
interface interface-name
|
-
|
|
Configure the interface authentication mode.
|
ip ospf [ ip-address ] authentication [ key-chain | message-digest | null ]
|
Mandatory.
By default, interface authentication mode is not configured.
The keyword message-digest in the command indicates MD5 authentication, and the keyword null indicates no authentication; the key word key-chain indicates the key-chain authentication; otherwise, plain text authentication is configured.
|
|
Configure a password for plain text authentication.
|
ip ospf [ ip-address ] authentication-key { 0 | 7 } password
|
Mandatory.
By default, no password is configured for plain text authentication.
|
|
Configure a password for MD5/SM3 authentication.
|
ip ospf [ ip-address ] message-digest-key key-id {md5 | sm3} { 0 | 7 } password
|
Mandatory.
By default, no password is configured for MD5/SM3 authentication.
|
|
Configure the key-chain authentication
|
ip ospf [ ip-address ] key-chain key-chain name
|
Mandatory
By default, do not configure the key-chain authentication.
|
Switch
.png){kind=icon}
.png){kind=logo}
.jpg)
.png){kind=logo}
