The ospf authentication-mode multi-area command configures an authentication mode for a multi-area adjacency interface.
The ospf authentication-mode multi-area null command configures null authentication for a multi-area adjacency interface.
The undo ospf authentication-mode multi-area command deletes the authentication mode configured for a multi-area adjacency interface.
By default, a multi-area adjacency interface does not authenticate OSPF packets.
ospf authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ] multi-area { area-id | area-id }
ospf authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ] multi-area { area-id | area-id }
ospf authentication-mode null multi-area { area-id | area-id }
ospf authentication-mode keychain keychain-name multi-area { area-id | area-id }
undo ospf authentication-mode multi-area { area-id | area-id }
| Parameter | Description | Value |
|---|---|---|
| plain |
Indicates the simple type. Configuring the ciphertext mode is recommended because simple passwords are stored in simple form in the configuration file, which provokes high security risks. For security purposes, change passwords regularly. |
For simple authentication, cipher is used by default. |
| plain-text |
Specifies a simple text password. |
The value is a string of characters.
A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| cipher |
Indicates the ciphertext type. |
For MD5 or HMAC-MD5 authentication, cipher is used by default. |
| cipher-text |
Specifies a ciphertext password. |
The value is a string of characters.
A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| area-id |
Specifies the ID of an OSPF area. |
The value can be a decimal integer ranging from 0 to 4294967295 or in the format of an IP address. |
| md5 |
Indicates MD5 authentication. Configuring HMAC-SHA256 rather than MD5 is recommended for the sake of security. |
An MD5 password must not start with and end with symbols $@$@ because these symbols are used to identify password types during an upgrade. |
| hmac-md5 |
Indicates HMAC-MD5 authentication. Configuring HMAC-SHA256 rather than HMAC-MD5 is recommended for the sake of security. |
- |
| hmac-sha256 |
Indicates HMAC SHA256 ciphertext authentication. |
- |
| key-id |
Specifies the key ID for authentication, which must be the same as the one configured at the other end. |
The value is an integer ranging from 1 to 255. |
| null |
Indicates null authentication. |
- |
| keychain |
Indicates keychain authentication. Before you configure keychain authentication, run the keychain command to configure a keychain, the key-id command to configure a key ID, the key-string command to configure a password, and the algorithm command to configure an algorithm. If these commands are not run, OSPF authentication fails. Currently, OSPF supports only the SM3, HMAC-MD5 and HMAC-SHA256 algorithms. |
- |
| keychain-name |
Specifies a keychain name. |
The value is a string of 1 to 47 case-insensitive characters. A password cannot contain a question mark (?), but can contain spaces if surrounded by double quotation marks (""). In this case, the double quotation marks are part of the password. |
| simple |
Indicates simple authentication.
|
- |
100GE interface view, 10GE interface view, 25GE sub-interface view, 25GE interface view, 400GE interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE electrical interface view, GMPLS-UNI interface view, Global VE sub-interface view, Tunnel interface view, VBDIF interface view, VE sub-interface view, VLANIF interface view
Usage Scenario
Due to inherent defects and flawed implementation of the TCP/IP protocol suite, there are an increasing number of attacks, which poses greater threats on TCP/IP networks than ever before. The attacks on network devices may lead to network failures. To configure an authentication mode for a multi-area adjacency interface to improve OSPF network security, run the ospf authentication-mode multi-area command.
Prerequisites
The ospf enable multi-area command has been run.
Configuration Impact
Interface authentication is implemented based on an authentication mode and password between neighboring devices. Interface authentication takes precedence over area authentication.
Precautions
Null authentication is also an authentication mode, different from non-authentication.
Interfaces of devices on one network segment must share the same authentication mode and password.<HUAWEI> system-view [~HUAWEI] ospf 1 [*HUAWEI-ospf-1] area 0 [*HUAWEI-ospf-1-area-0.0.0.0] quit [*HUAWEI-ospf-1] area 1 [*HUAWEI-ospf-1-area-0.0.0.1] quit [*HUAWEI-ospf-1] quit [*HUAWEI] interface GigabitEthernet 0/1/0 [*HUAWEI-GigabitEthernet0/1/0] ospf enable 1 area 0 [*HUAWEI-GigabitEthernet0/1/0] ospf enable multi-area 1 [*HUAWEI-GigabitEthernet0/1/0] ospf authentication-mode hmac-sha256 1 cipher Huawei-123 multi-area 1