OSPF can be configured to authenticate every OSPF message. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a Denial-of-Service attack.
Two types of authentication can be used:
1. clear text authentication – clear text passwords are used
2. MD5 authentication – MD5 authentication is used. This type of authentication is more secure because the password doesn’t go in clear-text over the network.NOTE
With OSPF authentication turned on, routers must pass the authentication process before becoming OSPF neighbors.
To configure clear text authentication, the following steps are required:
- configure the OSPF password on the interface by using the ip OSPF authentication-key PASSWORD interface command
- configure the interface to use OSPF clear-text authentication by using the ip OSPF authentication interface command
In the following example, we will configure OSPF clear-text authentication.
Both routers are running OSPF. On R1, we need to enter the following commands:
The same commands have to be entered on R2:
To verify that clear-text authentication is indeed turned on, we can use the show ip ospf interface INTERFACE_NUMBER/INTERFACE_TYPE command on either router:
Configuring OSPF MD5 authentication is very similar to configuring clear-text authentication. Two commands are also used:
- First, you need to configure the MD5 value on an interface by using the IP OSPF message-digest-key 1 md5 VALUE interface command
- Next, you need to configure the interface to use MD5 authentication by using the IP OSPF authentication message-digest interface command
Here is an example configuration on R1:
You can verify that R1 is using OSPF MD5 authentication by typing the show ip ospf INTERFACE/INTERFACE_TYPE command:
NOTE
OSPF authentication type can also be enabled on an area basis, instead of configuring OSPF authentication type per interface basis. This is done by using the area AREA_ID authentication [message-digest] command under the OSPF configuration mode. If you omit the message-digest keyword, a clear-text authentication will be used for that area. All interfaces inside the area will use OSPF authentication.