Image of Cortney & Jeremy

Configuring OSPF Authentication (Dynamips)

by Jeremy L. Gaddis on November 26, 2008 · 0 comments

in Networking

Let’s continue on from yesterday’s lab, “Configuring Basic OSPF“. We’ve had a new requirement added to our original design: authenticated OSPF.

Our security team has decided that it is a potential security risk to run unauthenticated OSPF across our network backbone and have asked us to implement a secure method of sending OSPF updates.

OSPF authentication comes in two forms: plain-text and MD5. Because a “secure method” was specified, we have to use MD5 authentication in our environment (plain-text is not “secure”).

Using “pwgen” on an Ubuntu Linux box (“sudo apt-get install pwgen”), I came up with a random key of “xooph8MuBaeph5ee”. This is the authentication key I’ll use for OSPF. You are, of course, free to use something else (and encouraged to do so!).

Since we already have an environment up and running (see the “Configuring Basic OSPF” lab), we just need to add OSPF authentication to our configs and then verify proper operation. Let’s get started.

The actual configuration to enable OSPF authentication is pretty simple. There’s a quick two-part process: 1) create our authentication key (per interface) and 2) tell OSPF to use this authentication key. We’ll knock them both out at once on each router:

ISP# configure terminal
ISP(config)# interface fastethernet 0/0
ISP(config-if)# ip ospf message-digest-key 1 md5 xooph8MuBaeph5ee
ISP(config-if)# router ospf 1
ISP(config-router)# area 0 authentication message-digest
ISP(config-router)# end
ISP#

Shortly after entering the above configuration, you should have noticed that both of your adjacencies (to Remote1 and Remote2) went from “FULL” to “DOWN”. This is because the ISP router is now sending authenticated OSPF updates and is expecting to receive them as well. Let’s configure the Remote1 router:

REMOTE1# configure terminal
REMOTE1(config)# interface fastethernet 0/0
REMOTE1(config-if)# ip ospf message-digest-key 1 md5 xooph8MuBaeph5ee
REMOTE1(config-if)# router ospf 1
REMOTE1(config-router)# area 0 authentication message-digest
REMOTE1(config-router)# end
REMOTE1#

What we see on Remote1 is a bit different. After entering the configuration, we should notice two things. First, the adjacency with Remote2 will go down (for the same reasons as with ISP router above). In addition, we should see the adjacency with the ISP router come back up as both are now sending (and expecting to receive) authenticated updates.

If we run “show ip ospf neighbor” on each router, we should see that ISP and Remote1 have an adjacency formed but that Remote2 does not have any adjacencies. Let’s verify this:

ISP# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.3      254   FULL/BDR        00:00:36    10.10.10.3      FastEthernet0/0
ISP#
REMOTE1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.1      255   FULL/DR         00:00:32    10.10.10.1      FastEthernet0/0
REMOTE1#
REMOTE2# show ip ospf neighbor

REMOTE2#

All we need to do to get all of our adjacencies back up is to configure OSPF authentication on Remote2 just like we did the other two routers. We should then see our adjacencies form again:

REMOTE2# configure terminal
REMOTE2(config)# interface fastethernet 0/0
REMOTE2(config-if)# ip ospf message-digest-key 1 md5 xooph8MuBaeph5ee
REMOTE2(config-if)# router ospf 1
REMOTE2(config-router)# area 0 authentication message-digest
REMOTE2(config-router)# end
REMOTE2#

And, indeed, we’ll see the adjacencies form. By looking at the output of “show ip route” we can verify convergence, but how can be know that authentication is actually being used?

Let’s run a “debug ip ospf adj” on ISP router and take a look at the output:

ISP# debug ip ospf adj
OSPF adjacency events debugging is on
ISP#
*Mar  1 00:28:18.055: OSPF: Send with youngest Key 1
ISP#
*Mar  1 00:28:28.055: OSPF: Send with youngest Key 1
ISP#
*Mar  1 00:28:38.055: OSPF: Send with youngest Key 1
ISP#
*Mar  1 00:28:48.055: OSPF: Send with youngest Key 1
ISP#undebug all
All possible debugging has been turned off
ISP#

Success! We’ve now added authentication to our OSPF updates which will make our security team happy — and now they owe us a beer!

Leave a Comment

Previous post:

Next post: