OSPF (Open Shortest Path First) is a standards-based link-state routing protocol. OSPF happens to be the routing protocol of choice in many enterprise networks. Your chances of running into OSPF at work are bright. The CCNA, CCNP, and CCIE Routing and Switching exams all test your understanding of OSPF concepts and configuration. These are good reasons to know OSPF very well. The security of OSPF (or any other routing protocol) is a concern that must be addressed. In this article, we’ll explore the options available for securing OSPF with authentication. The article provides configuration examples that you can practice at home (or work), making use of the downloadable GNS3 topology and initial configuration files.

Need for Authentication

A router needs routing information (or routes) to switch packets correctly to their destinations. The routing information comprises a set of networks and the best paths to reach those networks. The router keeps routes in its routing table. The routing table can be populated manually, by creating static routes. Routers are intelligent creatures that can also discover routes automatically, using dynamic routing protocols. Examples of dynamic routing protocols are RIP (routing information protocol), EIGRP (enhanced interior gateway routing protocol), and our best friend OSPF (open shortest path first). Routers use a routing protocol to learn routes and share them with other routers.

There exists a security concern with any routing protocol. It is the possibility of a router accepting incorrect routing information. The source of incorrect routing information may be an attacker, trying to trick the router into sending packets to the wrong destination. Lost packets result in users experiencing degraded network service, even complete isolation. Packets routed to an unintended destination can be captured to steal information. The cause of invalid routing information is not always a person with malicious intent. A malfunctioning router can also send invalid routing updates. Most routing protocols support authentication to secure the exchange of routing information between routers.

OSPF can authenticate all packets exchanged between neighbors. OSPF authentication can be done by simple passwords, or the more secure MD5 cryptographic checksums. There is more on OSPF authentication next.

Understanding OSPF Authentication

OSPF routers across a data link talk to each other using one of five types of OSPF packets: Hello, Database Description, Link State Request, Link State Update, and Link State Acknowledgement.

Each OSPF packet type is different and serves a different purpose. Each OSPF packet begins with an OSPF packet header, whose format is the same for all packet types. The data that follows the header in the OSPF packet is different for different packet types.

The OSPF packet header has various fields. The following two fields are relevant to OSPF authentication:

AuType is the type of authentication being used. AuType field can have one of three possible values: 0, 1, and 2.

Authentication field carries the information required for the packet to be authenticated by whatever type is specified in the AuType field. If AuType is 0, the Authentication field is ignored and therefore may contain anything. If AuType is 1, the Authentication field contains a password of up to 8 characters (64 bits). If AuType is 2, the Authentication field contains a key ID, the Authentication Data Length, and a Cryptographic Sequence Number. The key ID allows the router to reference multiple passwords. It makes password change easier and more secure. The field also includes the password or key used to create the message digest. Authentication Data Length specifies the length of the message digest. The message digest itself is not part of the Authentication field; rather, it is appended to the very end of the OSPF packet. Cryptographic Sequence Number is a number used to prevent replay attacks.

AuType

Type of Authentication

0

Null (no authentication)

1

Simple password sent in clear text

2

Cryptographic (MD5) checksum

Type 0 means null authentication. It is not a real type of authentication because it simply means no authentication information is included in the packet header. Type 0 is also the default.

Type 1 uses simple passwords up to 8 characters in length, sent in clear-text inside the OSPF packet header. The clear-text passwords in OSPF packets can easily be read if the packets are captured using a sniffer like Wireshark.

Type 2 uses MD5 cryptographic checksums and is the most secure type of OSPF authentication. You should always use type 2 authentication when possible. Type 1 authentication should only be used when network devices cannot support the more secure type 2 authentication.

OSPF authentication is not a one-time event. Every OSPF packet contains authentication data in the AuType and Authentication fields of the packet header. Every packet is authenticated individually.

Configuring OSPF Authentication

We are using the GNS3 topology shown in the figure for configuration. The topology consists of four Cisco 3725 routers: R1, R2, R3, R4.

You can download the GNS3 topology and initial configuration files. You should run the included GNS3 project file to get the topology up and running. The topology should work well on GNS3 1.x, where x is any number. IP addresses have already been configured, according to the figure.

You have to apply basic OSPF configuration to all routers as given below:

R1

router ospf 1
 network 192.168.12.1 0.0.0.0 area 1

R2

router ospf 1
 network 192.168.12.2 0.0.0.0 area 1
 network 10.1.1.2 0.0.0.0 area 0

R3

router ospf 1
 network 10.1.1.3 0.0.0.0 area 0

R4

router ospf 1
 network 10.1.1.4 0.0.0.0 area 0

The routers will establish OSPF adjacencies and exchange routing information. Once OSPF has converged, you should be able to ping any IP address from any router in the network.

R1#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/64/92 ms

R1#ping 10.1.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/64/96 ms

This completes the basic OSPF configuration without authentication. We are going to configure OSPF different OSPF authentication types one-by-one. The basic OSPF configuration will stay the same.

You may save your configuration at this point, to make sure your basic OSPF configuration is available after reloading your routers. First, run the command copy running-config startup-config on all four routers. Second, save your GNS3 project by going to File > Save project (or Save project as…). You can now configure and verify OSPF authentication of one type. Once you’re done, you can reload the routers without saving the configuration to start clean with basic OSPF configuration. You may then get your hands dirty with another type of OSPF authentication.

We will cover the configuration of all three types of OSPF authentication, separately.

Type 0 Authentication

The OSPF configuration so far does not involve any explicit authentication configuration, which means type 0 or null authentication is already in use.

Type 1 Authentication

You have to configure the authentication password as well as actually enable authentication. You can configure the authentication password using the ip ospf authentication-key command, in interface configuration mode. The command associates a password of up to eight characters to the interface, but does not actually enable authentication. Type 1 authentication can be enabled using the ip ospf authentication command in interface configuration mode. The password intense is being used between R1 and R2, and the password cisco is being used between R2, R3, and R4.

R1

interface Serial0/0
 ip ospf authentication-key intense
 ip ospf authentication

R2

interface FastEthernet0/0
 ip ospf authentication-key cisco
 ip ospf authentication
!
interface Serial0/0
 ip ospf authentication-key intense
 ip ospf authentication

R3

interface FastEthernet0/0
 ip ospf authentication-key cisco
 ip ospf authentication

R4

interface FastEthernet0/0
 ip ospf authentication-key cisco
 ip ospf authentication

The show ip ospf interface command can be used to determine which type of OSPF authentication is configured on the interface.

R2#show ip ospf interface Serial0/0
Serial0/0 is up, line protocol is up
  Internet Address 192.168.12.2/30, Area 1
  Process ID 1, Router ID 192.168.12.2, Network Type POINT_TO_POINT, Cost: 64
  


Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:06
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 192.168.12.1
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled

We have used the ip ospf authentication command in the interface configuration mode for individually enabling OSPF authentication on each interface. However, we may also have used the area authentication command to enable OSPF authentication on all interfaces in the area. If you have a large number of interfaces in an area, this may save quite a few configuration lines. The ip ospf authentication-key command still has to be individually applied to each interface. The alternate configuration is given below:

R1

interface Serial0/0
 ip ospf authentication-key intense
!
router ospf 1
 area 1 authentication

R2

interface FastEthernet0/0
 ip ospf authentication-key cisco
!
interface Serial0/0
 ip ospf authentication-key intense
!
router ospf 1
 area 0 authentication
 area 1 authentication

R3

interface FastEthernet0/0
 ip ospf authentication-key cisco
!
router ospf 1
 area 0 authentication

R4

interface FastEthernet0/0
 ip ospf authentication-key cisco
!
router ospf 1
 area 0 authentication

Type 2 Authentication

Type 2 authentication uses the MD5 hashing algorithm. MD5 computes a hash value from the contents of OSPF packet and a password (or key). The hash value is added to the end of OSPF packet and is sent with the packet. A key ID is also sent in the packet but the password (or key) is never sent. Once the receiver receives the packet, it computes the hash value again using the contents of the received OSPF packet and the password (or key) it already has. If nothing in the message has changed in transit, and the receiving router has the same password (or key) as the sending router, the hash value computed by the receiver should match the hash value computed by the sender and sent with the OSPF packet. OSPF routers can keep more than one passwords, and reference the password currently being used with the key ID. This makes the migration of password easier and more secure.

You can use the command ip ospf message-digest-key md5, in interface configuration mode, to assign a password to the interface. The password can be up to 16 characters long, and the key ID can be any number between 1 and 255. The command ip ospf message-digest-key md5 does not enable authentication. It just sets the password. You have to enable type 2 authentication separately. There are two slightly different ways of doing it, and we are going to cover both. You may use the ip ospf authentication message-digest command on each interface.

R1

interface Serial0/0
 ip ospf message-digest-key 5 md5 intense
 ip ospf authentication message-digest

R2

interface FastEthernet0/0
 ip ospf message-digest-key 10 md5 cisco
 ip ospf authentication message-digest
!
interface Serial0/0
 ip ospf message-digest-key 5 md5 intense
 ip ospf authentication message-digest

R3

interface FastEthernet0/0
 ip ospf message-digest-key 10 md5 cisco
 ip ospf authentication message-digest

R4

interface FastEthernet0/0
 ip ospf message-digest-key 10 md5 cisco
 ip ospf authentication message-digest

You may also use the area authentication message-digest command to enable type 2 authentication for all router interfaces in the area.

R1

interface Serial0/0
 ip ospf message-digest-key 5 intense
!
router ospf 1
 area 1 authentication message-digest

R2

interface FastEthernet0/0
 ip ospf message-digest-key 10 cisco
!
interface Serial0/0
 ip ospf message-digest-key 5 intense
!
router ospf 1
 area 0 authentication message-digest
 area 1 authentication message-digest

R3

interface FastEthernet0/0
 ip ospf message-digest-key 10 cisco
!
router ospf 1
 area 0 authentication message-digest

R4

interface FastEthernet0/0
 ip ospf message-digest-key 10 cisco
!
router ospf 1
 area 0 authentication message-digest

The passwords do not have to be the same throughout an OSPF area. The passwords must match for OSPF neighbors, though. The key allows you to change the password without having to disable authentication. For example, to change the password between R1 and R2, the new password would be configured on Serial0/0 of R1 and Serial0/0 of R2 with a different key.

The passwords in a production network should never be as simple as cisco and intense. It’s a good practice to add the service password-encryption command to the configuration of all routers doing OSPF authentication. This command will encrypt the passwords in any display of configuration files. It’s a simple security measure to prevent the password from being learned by simply seeing the configuration text.

That completes our coverage of OSPF authentication. Feel free to leave a comment, or look around for other useful articles.