Beginning with IOS release 15.4(1)T OSPF supports Secure Hash Algorithm Hash Message Authentication Code (SHA-HMAC) as described in RFC 5709.
To utilize SHA-HMAC authentication OSPF uses key chains similar to EIGRP or RIPv2. Also the key chains have been enhanced to select a particular cryptographic algorithm for each key.
Thins to watch out for:
- each key must have a cryptographic algorithm configured, failure to do so will result in OSPF ignoring that key.
- each key can be configured to only be usable at certain times, using the lifetime commands. If multiple keys are available at a given time the highest key ID will be used…this is different from RIP or EIGRP in that they use the lowest key ID
- there is no key rollover mechanism the highest key id is used to sign egress packets, the key specified in the received packet is used to process ingress packets.
- extended cryptographic authenication is enabled per interface.
- extended cryptographic authentication on virtual links is configured under the area area-id virtual-link router-id key-chain key-chain-name command
- MD5 authentication is one of the supported cryptographic algorithms in key chains. An OSPF router configured for Md5 using classic commands will interoperate with a neighbor using the new key chain style, provided the cryptographic algorithm for the keys in the key chain is MD5. When the new style is used, passwords configured with the ip ospf message-digest-key command are ignored.