This document shows sample configurations for Open Shortest Path First (OSPF) authentication which allows the flexibility to authenticate OSPF neighbors. You can enable authentication in OSPF in order to exchange routing update information in a secure manner. OSPF authentication can either be none (or null), simple, or MD5. The authentication method “none” means that no authentication is used for OSPF and it is the default method. With simple authentication, the password goes in clear-text over the network. With MD5 authentication, the password does not pass over the network. MD5 is a message-digest algorithm specified in RFC 1321. MD5 is considered the most secure OSPF authentication mode. When you configure authentication, you must configure an entire area with the same type of authentication. Starting with Cisco IOS® Software Release 12.0(8),
Readers of this document should be familiar with basic concepts of OSPF routing protocol. Refer to the Open Shortest Path First documentation for information on OSPF routing protocol.
The information in this document is based on these software and hardware versions.
- Cisco 2503 routers
- Cisco IOS Software Release 12.2(27)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
These are the three different types of authentication supported by OSPF.
- Null Authentication—This is also called Type 0 and it means no authentication information is included in the packet header. It is the default.
- Plain Text Authentication—This is also called Type 1 and it uses simple clear-text passwords.
- MD5 Authentication—This is also called Type 2 and it uses MD5 cryptographic passwords.
Authentication does not need to be set. However, if it is set, all peer routers on the same segment must have the same password and authentication method. The examples in this document demonstrate configurations for both plain text and MD5 authentication.
This section presents you with the information to configure the features this document describes.
This document uses this network setup.
Configurations for Plain Text Authentication
Plain text authentication is used when devices within an area cannot support the more secure MD5 authentication. Plain text authentication leaves the internetwork vulnerable to a “sniffer attack,” in which packets are captured by a protocol analyzer and the passwords can be read. However, it is useful when you perform OSPF reconfiguration, rather than for security. For example, separate passwords can be used on older and newer OSPF routers that share a common broadcast network to prevent them from talking to each other. Plain text authentication passwords do not have to be the same throughout an area, but they must be the same between neighbors.Read more…