Categories R&S

OSPF – Implement and troubleshoot authentication – SHA authentication

Let’s finish this authentication series by having a look at the strongest one.

 

Theory:

HMAC-SHA algorithms for cryptographic authentication with OSPFv2 is defined in RFC 5709.

Note that as per Cisco config guide, this features was release in IOS version 15.4(1)T.

 

Requirements:

Configure OSPF HMAC-SHA based authentication in area 0.

 

Diagram:

OSPF  Totally stubby area

 

Configuration and verification:

HMAC-SHA based authentication can only be configured at the interface level.

 

We need to create a key chain and then apply it at the interface level.

R1(config)#key chain SHA
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string CISCO
R1(config-keychain-key)#cryptographic-algorithm ?
  hmac-sha-1    HMAC-SHA-1 authentication algorithm
  hmac-sha-256  HMAC-SHA-256 authentication algorithm
  hmac-sha-384  HMAC-SHA-384 authentication algorithm
  hmac-sha-512  HMAC-SHA-512 authentication algorithm
  md5           MD5 authentication algorithm
R1(config-keychain-key)#cryptographic-algorithm hmac-sha-512

R1(config)#int Et0/0
R1(config-if)#ip ospf authentication key-chain SHA

 

We now turn on debug to see what kind of message we receive from our neighbor.

R1#debug ip ospf 10 adj
OSPF adjacency debugging is on for process 10
*Feb 10 15:18:10.068: OSPF-10 ADJ   Et0/0: Rcv pkt from 10.10.1.3 : Mismatched Authentication type. Input packet specified type 0, we use type 2

We receive the same type of messages than previously.

 

After configuring authentication for the 2 other routers, we can see that adjacency is now ok.

R1#sh ip ospf neigh
Neighbor ID     Pri   State           Dead Time   Address         Interface
22.22.22.22       0   FULL/DROTHER    00:00:38    10.10.1.2       Ethernet0/0
33.33.33.33       5   FULL/BDR        00:00:38    10.10.1.3       Ethernet0/0
R1#sh ip ospf int Eth 0/0
Ethernet0/0 is up, line protocol is up
  Internet Address 10.10.1.1/24, Area 0, Attached via Network Statement
  Process ID 10, Router ID 11.11.11.11, Network Type BROADCAST, Cost: 1
SNIP
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain SHA

R1#show key chain
Key-chain SHA:
    key 1 -- text "CISCO"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

R2#sh ip ospf int Et0/0
Ethernet0/0 is up, line protocol is up
  Internet Address 10.10.1.2/24, Area 0, Attached via Network Statement
  Process ID 10, Router ID 22.22.22.22, Network Type BROADCAST, Cost: 1
SNIP
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain SHA

R3#sh ip ospf int Eth 0/0
Ethernet0/0 is up, line protocol is up
  Internet Address 10.10.1.3/24, Area 0, Attached via Network Statement
  Process ID 10, Router ID 33.33.33.33, Network Type BROADCAST, Cost: 1
SNIP
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain SHA

 

This post conclude the authentication series.

 

Thank you for reading.

 

 

OSPF – Implement and troubleshoot authentication – SHA authentication