OSPF: Extended Cryptographic Authentication

Beginning with IOS release 15.4(1)T OSPF supports Secure Hash Algorithm Hash Message Authentication Code (SHA-HMAC) as described in RFC 5709.

To utilize SHA-HMAC authentication OSPF uses key chains similar to EIGRP or RIPv2.  Also the key chains have been enhanced to select a particular cryptographic algorithm for each key.

Thins to watch out for:

  • each key must have a cryptographic algorithm configured, failure to do so will result in OSPF ignoring that key.
  • each key can be configured to only be usable at certain times, using the lifetime commands.  If multiple keys are available at a given time the highest key ID will be used…this is different from RIP or EIGRP in that they use the lowest key ID
  • there is no key rollover mechanism the highest key id is used to sign egress packets, the key specified in the received packet is used to process ingress packets.
  • extended cryptographic authenication is enabled per interface.
  • extended cryptographic authentication on virtual links is configured under the area area-id virtual-link router-id key-chain key-chain-name command
  • MD5 authentication is one of the supported cryptographic algorithms in key chains.  An OSPF router configured for Md5 using classic commands will interoperate with a neighbor using the new key chain style, provided the cryptographic algorithm for the keys in the key chain is MD5.  When the new style is used, passwords configured with the ip ospf message-digest-key command are ignored.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s