OSPF Authentication

OSPF authentication encrypts OSPF packets by adding the authentication field to packets to ensure network security. A local device checks the authentication field in OSPF packets received from a remote device, and discards the packets if they do not contain the same authentication password as the locally configured one, thereby achieving self-protection.

Based on the packet type, authentication is classified into the following types:

• Area authentication: configured in the OSPF area view and applies to packets on all interfaces in the OSPF area.

• Interface authentication: configured in the interface view and applies to all packets on the interface.

Based on the packet authentication mode, authentication is classified into the following types:

• Non-authentication: Authentication is not performed.

• Simple authentication: A configured password is directly added to packets for authentication. This authentication mode is insecure.

• Message-digest algorithm 5 (MD5) authentication: A configured password is hashed using an algorithm such as MD5, and the ciphertext password is added to packets for authentication. This authentication mode improves password security. Currently, MD5 and hash-based message authentication code for MD5 (HMAC-MD5) are supported. For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 algorithm is recommended.

• Keychain authentication: A keychain consists of multiple authentication keys, each of which contains an ID and a password. Each key in a keychain has a lifecycle, and keys are dynamically selected based on the lifecycle of each key. A keychain can also dynamically select an authentication key to enhance attack defense.

  Keychain improves OSPF security by dynamically changing algorithms and keys. Keychain authentication can be used to authenticate both OSPF packets and the process of establishing a Transmission Control Protocol (TCP) connection. For details about keychain, see the "Keychain" chapter in HUAWEI NetEngine 8000 F Series Feature Description - Security.

• HMAC-SHA256 authentication: A configured password is hashed using the HMAC for secure hash algorithm 256 (HMAC-SHA256) algorithm, and the ciphertext password is added to packets for authentication. This authentication mode improves password security.

OSPF carries authentication types in packet headers and authentication information in packet trailers.

The authentication types are as follows:

• 0: non-authentication

• 1: simple authentication

• 2: ciphertext authentication

Usage Scenario

Figure 1 OSPF authentication on a broadcast network

The configuration requirements are as follows:

• The interface authentication configurations must be the same on all devices on the same network so that OSPF neighbor relationships can be established.

• The area authentication configurations must be the same on all devices in the same area.