ospf authentication-mode
Function
The ospf authentication-mode command sets an authentication mode and password used between neighboring nodes.
The ospf authentication-mode null command configures the null authentication mode on an interface.
The undo ospf authentication-mode command deletes the authentication mode on an interface.
By default, an interface does not authenticate OSPF packets.
Format
ospf authentication-mode { simple [ plain plain-text | [ cipher ] cipher-text ] | null }
ospf authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]
ospf authentication-mode keychain keychain-name
undo ospf authentication-mode
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the keychain keychain-name parameter.
Parameters
| Parameter | Description | Value |
|---|---|---|
| simple | Indicates simple authentication. NOTICE:
Simple authentication carries potential security risks. As such, HMAC-SHA256 authentication is recommended. |
In simple authentication, the password type is cipher by default. |
| plain | Indicates plain authentication. Only plain text can
be entered, and only plain text is displayed when the configuration
file is viewed. NOTICE:
If plain is selected, the password is saved in the configuration file in plain text. This carries security risks. Selecting cipher to save the password in cipher text is recommended. |
- |
| plain-text | Specifies a plain text password. | plain-text is a string of 1 to 8 characters without spaces when simple is configured, and is a string of 1 to 255 characters without spaces when md5, hmac-md5 or hmac-sha256 is configured. |
| cipher | Indicates cipher authentication. Either plain text or cipher text can be entered, and cipher text is displayed when the configuration file is viewed. | When cipher is configured, enter only the password in cipher text. Then, the password is displayed in cipher text in configuration files. MD5 authentication, HMAC-SHA256 authentication or HMAC-MD5 authentication uses the password in cipher text by default. |
| cipher-text | Specifies a cipher text password. | The value is a string of characters without spaces. In simple authentication, a plain text password is a string of 1 to 8 characters and a cipher text password is a string of 24 or 32 or 48 characters. In MD5 authentication, HMAC-SHA256 authentication or HMAC-MD5 authentication, a plain text password is a string of 1 to 16 characters and a cipher text password is a string of 20 to 392 characters. |
| md5 | Indicates MD5 authentication. NOTICE:
MD5 authentication carries potential security risks. As such, HMAC-SHA256 authentication is recommended. |
- |
| hmac-md5 | Indicates HMAC-MD5 authentication. NOTICE:
HMAC-MD5 authentication carries potential security risks. As such, HMAC-SHA256 authentication is recommended. |
- |
| hmac-sha256 | Indicates HMAC-SHA256 authentication. | - |
| key-id | Specifies the authentication key ID of the interface's cipher authentication. The key ID must be consistent with that of the peer. | The value is an integer that ranges from 1 to 255. |
| keychain | Indicates keychain authentication. NOTE:
Before configuring this parameter, run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, OSPF authentication will fail. |
- |
| keychain-name | Specifies the keychain name. | The value is a string of 1 to 47 case-insensitive characters. Except the question mark (?) and space. However, when double quotation marks (") are used around the string, spaces are allowed in the string. |
| null | Indicates null authentication. | - |
Usage Guidelines
Usage Scenario
Due to the defects and non-strict implementation of the TCP/IP protocol suite and increasing attacks on TCP/IP networks, the impact generated by attacks on the network may become more serious. Attacks on network devices may lead to a network crash. To improve OSPF network security, configure authentication.
Configuration Impact
Interface authentication is used to set the authentication mode and password used between neighboring devices. It takes precedence over area authentication.
Precautions
Null authentication is an authentication method. It does not indicate that no authentication is configured.
The authentication mode and password configured for interfaces on the same network segment must be the same.
OSPF does not support the configuration on a null interface.
An authentication password cannot contain spaces.
Example
# Configure OSPF HMAC-SHA256 authentication on VLANIF100.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ospf authentication-mode hmac-sha256
# Configure OSPF HMAC-SHA256 authentication on GE0/0/1.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] ospf authentication-mode hmac-sha256