OSPF supports authentication using non, clear text, and MD5. SHA-1 was recently added to the list of supported authentication methods but is configured differently than the other authentication types.
- three types are available, type 0 (none) type 1 (clear text) type 2 (MD5)
- authentication is enabled per interface
- default authentication type is 0
- the default can be redefined in the OSPF configuration
- keys are always configured under the interface
- multiple Md5 keys with different IDs are allowed per interface
OSPF uses the key that was added last to the interface to sign sent packets (regardless of key number)
To authenticate a received packet, it uses the key ID that is indicated in the packet.
If a neighbor comes up that does not have the same key number as the neighbor the router begins a process called OSPF key rollover, and the neighbors begin sending packets as many times as they have keys for the interface, the rollover ends when both sides have the same key selected.
Key rollover is only used for MD5 authentication, since there are no keys for cleartext, this process is not used when that authentication type is selected.
Virtual links do not have specific interfaces under which you would configure authentication commands, instead virtual links are configured under the area virtual-link command itself.