Configuring OSPFv3 Authentication Trailer
Open Shortest Path First version 3 (OSPFv3) supports packet authentication, enabling OSPFv3 devices to receive only the OSPFv3 packets that are authenticated. If packets fail to be authenticated, OSPFv3 neighbor relationships cannot be established. This section describes how to configure an authentication mode.
Usage Scenario
OSPFv3 authentication trailer supports HMAC-SHA256 authentication and HMAC-SM3 authentication.
By default, authentication is not configured for OSPFv3 areas, processes, or interfaces. Configuring authentication is recommended to ensure system security.
When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simpletext if you select simpletext mode, which has a high risk. To ensure device security, change the password periodically.
Procedure
- Configure area authentication.
- Run authentication-mode { hmac-sha256 | hmac-sm3 } key-id KeyId { plain PlainText | [ cipher ] CipherText }
An authentication mode is configured for the OSPFv3 area.
If area authentication is used, authentication mode and password configurations on all routers in the same area must be the same.
- Run authentication-mode { hmac-sha256 | hmac-sm3 } key-id KeyId { plain PlainText | [ cipher ] CipherText }
- Configure process authentication.
- Configure interface authentication.
- Run ospfv3 authentication-mode { hmac-sha256 | hmac-sm3 } key-id KeyId { plain PlainText | [ cipher ] CipherText } [ instance instanceId ]
An authentication mode is configured for the OSPFv3 interface.
Interface authentication takes precedence over area authentication. For interfaces on the same subnet, the configured authentication mode and password must be identical. This requirement does not apply to the OSPFv3 interfaces on different subnets.
- Run ospfv3 authentication-mode { hmac-sha256 | hmac-sm3 } key-id KeyId { plain PlainText | [ cipher ] CipherText } [ instance instanceId ]