From: Du, Jianbo (jdu@ebay.com)
Date: Thu Feb 08 2007 - 06:40:40 ART
Daniel,
Hope this would help you..
http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a0080
094e9e.shtml#t11
OSPF Authentication
It is possible to authenticate the OSPF packets such that routers can
participate in routing domains based on predefined passwords. By
default, a router uses a Null authentication which means that routing
exchanges over a network are not authenticated. Two other authentication
methods exist: Simple password authentication and Message Digest
authentication (MD-5).
Simple Password Authentication
Simple password authentication allows a password (key) to be configured
per area. Routers in the same area that want to participate in the
routing domain will have to be configured with the same key. The
drawback of this method is that it is vulnerable to passive attacks.
Anybody with a link analyzer could easily get the password off the wire.
To enable password authentication use the following commands:
ip ospf authentication-key key (this goes under the specific interface)
area area-id authentication (this goes under "router ospf <process-id>")
Here's an example:
interface Ethernet0
ip address 10.10.10.10 255.255.255.0
ip ospf authentication-key mypassword
router ospf 10
network 10.10.0.0 0.0.255.255 area 0
area 0 authenticationMessage Digest Authentication
Message Digest authentication is a cryptographic authentication. A key
(password) and key-id are configured on each router. The router uses an
algorithm based on the OSPF packet, the key, and the key-id to generate
a "message digest" that gets appended to the packet. Unlike the simple
authentication, the key is not exchanged over the wire. A non-decreasing
sequence number is also included in each OSPF packet to protect against
replay attacks.
This method also allows for uninterrupted transitions between keys. This
is helpful for administrators who wish to change the OSPF password
without disrupting communication. If an interface is configured with a
new key, the router will send multiple copies of the same packet, each
authenticated by different keys. The router will stop sending duplicate
packets once it detects that all of its neighbors have adopted the new
key. Following are the commands used for message digest authentication:
ip ospf message-digest-key keyid md5 key (used under the interface)
area area-id authentication message-digest (used under "router ospf
<process-id>")
Here's an example:
interface Ethernet0
ip address 10.10.10.10 255.255.255.0
ip ospf message-digest-key 10 md5 mypassword
router ospf 10
network 10.10.0.0 0.0.255.255 area 0
area 0 authentication message-digest
Regards,
JianBo
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Muizebelt Danny
Sent: Thursday, February 08, 2007 4:31 PM
To: Daniel_Steyn@Dell.com; ccielab@groupstudy.com
Subject: RE: OSPF Area based authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Well, if you mean the Cisco area based authentication then yes.
The Cisco area authentication is a Cisco way of defining which
interfaces in which area must use authentication (instead of the default
"null" authentication). It has only local relevance and is not defined
in rfc2828 (OSPF v2).
So to mention it again: It only defines authentication in a specific
area for ALL local interfaces in that area. Neighbor routers do not know
you are using area authentication so they are perfectly happy to use
normal interface authentication.
Danny Muizebelt
CCIE #17353
- -----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Daniel_Steyn@Dell.com
Sent: Donnerstag, 08. Februar 2007 02:09
To: ccielab@groupstudy.com
Subject: OSPF Area based authentication
Does anyone have any information regarding OSPF area-based
authentication?
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:46 ART