OSPF HMAC-SHA Extended Authentication

OSPF used to only support plain text and MD5 authentication but since IOS 15.4(1)T, OSPF also supports HMAC-SHA (Hash Message Authentication Code Secure Hash Algorithm). Besides the new algorithm, the way you configure authentication has also changed. OSPF now uses key chains like RIP and EIGRP.

To demonstrate HMAC-SHA authentication, we will use these two routers:

ospf r1 r2 topology

Configuration


Let’s start by enabling OSPF on both routers:

R1(config)#router ospf 1
R1(config-router)#network 192.168.12.1 0.0.0.255 area 0
R2(config)#router ospf 1
R2(config-router)#network 192.168.12.1 0.0.0.255 area 0

Now we can focus on authentication.

R1

First, we have to create a key chain. The name of the key chain is only locally significant so pick whatever you like. The key ID has to be the same on both routers. I’ll name it R1 and use key 1:

R1(config)#key chain R1
R1(config-keychain)#key 1

In the key chain configuration, there are two things we have to do. First, we have to tell the router that we want to use a different cryptographic algorithm:

R1(config-keychain-key)#cryptographic-algorithm ?
  hmac-sha-1    HMAC-SHA-1 authentication algorithm
  hmac-sha-256  HMAC-SHA-256 authentication algorithm
  hmac-sha-384  HMAC-SHA-384 authentication algorithm
  hmac-sha-512  HMAC-SHA-512 authentication algorithm
  md5           MD5 authentication algorithm

As you can see above, we can choose one of the HMAC-SHA options. MD5 is also supported for this new key chain method. Let’s use the most secure HMAC-SHA options:

R1(config-keychain-key)#cryptographic-algorithm hmac-sha-512

The other thing we have to configure is the key string, the password that we want to use:

R1(config-keychain-key)#key-string R1_R2_PASSWORD

The only thing left to do now is to enable authentication. This can only be done on the interface, you can’t enable it for the entire area using this method:

R1(config)#interface GigabitEthernet 0/1
R1(config-if)#ip ospf authentication key-chain R1

Let’s do the same thing on R2:

R2

R2(config)#key chain R2
R2(config-keychain)#key 1
R2(config-keychain-key)#cryptographic-algorithm hmac-sha-512
R2(config-keychain-key)#key-string R1_R2_PASSWORD

R2(config)#interface GigabitEthernet 0/1
R2(config-if)#ip ospf authentication key-chain R2

That’s all we have to configure.

Verification

Let’s verify our work. First, I’ll check if authentication is enabled or not:

R1#show ip ospf interface GigabitEthernet 0/1 | begin auth
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain R1
R2#show ip ospf interface GigabitEthernet 0/1 | begin auth
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain R2

As you can see above, authentication is enabled using HMAC-SHA-512. Let’s make sure our two routers are neighbors:

R1#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.12.2      1   FULL/DR         00:00:31    192.168.12.2    GigabitEthernet0/1
R2#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.12.1      1   FULL/BDR        00:00:33    192.168.12.1    GigabitEthernet0/1

Which seems to be the case. That’s all there is to it.

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
ip cef
!
key chain R1
 key 1
  key-string R1_R2_PASSWORD
  cryptographic-algorithm hmac-sha-512
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
 ip ospf authentication key-chain R1
!
router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
!
end

R2

hostname R2
!
ip cef
!
key chain R2
 key 1
  key-string R1_R2_PASSWORD
  cryptographic-algorithm hmac-sha-512
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
 ip ospf authentication key-chain R2
!
router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
!
end

Conclusion

You have now learned how to enable OSPF HMAC-SHA authentication:

  • OSPF supports HMAC-SHA authentication since IOS 15.4(1)T.
  • Authentication is configured using key chains, similar to RIP and EIGRP.
  • Besides a key string, you have to configure which cryptographic algorithm you want to use on the key chain.

Want to know more about OSPF HMAC-SHA authentication? RFC 5709RFC 5709 has all the details.

Forum Replies

  1. R1(config)#router ospf 1
    R1(config-router)#network 192.168.12.1 255.255.255.0 area 0
    
    • netmask instead of wild card?

  2. Hi Arun,

    That’s an error yes, thanks for reporting it. I just fixed it.

    Rene

Ask a question or join the discussion by visiting our Community Forum