OSPFv2 Cryptographic Authentication

Similar documents
Area Command in Interface Mode for OSPFv2

OSPFv3 Address Families

OSPFv3 Address Families

OSPF SNMP ifindex Value for Interface ID in Data Fields

OSPFv3 Address Families

Configuring NSF-OSPF

The following questions are designed to test your understanding of this chapter s

SNMP ifindex Value for Interface ID in OSPFv2 and OSPFv3 Data Fields

HSRP MD5 Authentication

Lab- Configuring Basic Single-Area OSPFv2

OSPF Limit on Number of Redistributed Routes

VRRPv3 Protocol Support

CCNA 3 (v v6.0) Chapter 10 Exam Answers % Full

Configuring IP Summary Address for RIPv2

Autoroute Announce and Forwarding Adjacencies For OSPFv3

Autoroute Announce and Forwarding Adjacencies For OSPFv3

DHCP Client. Finding Feature Information. Restrictions for the DHCP Client

EIGRP Nonstop Forwarding

EIGRP Route Tag Enhancements

IGMP Proxy. Finding Feature Information. Prerequisites for IGMP Proxy

Basic IP Routing. Finding Feature Information. Information About Basic IP Routing. Variable-Length Subnet Masks

VLANs over IP Unnumbered SubInterfaces

SSH Algorithms for Common Criteria Certification

CCNA Semester 2 labs. Part 2 of 2 Labs for chapters 8 11

Fine-Grain NBAR for Selective Applications

IPv6 Routing: OSPFv3

Basic IP Routing. Finding Feature Information. Information About Basic IP Routing. Variable-Length Subnet Masks

Fine-Grain NBAR for Selective Applications

Configuring Stateful Interchassis Redundancy

Configuring OSPF. Finding Feature Information

OSPF Stub Router Advertisement

Configuring VRRP. Finding Feature Information. The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns

Configuring VRRP. Finding Feature Information. Contents

Configuring Redundant Routing on the VPN 3000 Concentrator

OSPFv2 Local RIB. Finding Feature Information

FPG Endpoint Agnostic Port Allocation

IP Routing: RIP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3650 Switches)

Configuring Integrated IS-IS Protocol Shutdown Support Maintaining Configuration Parameters

Configuring OSPF. Finding Feature Information

Match-in-VRF Support for NAT

DHCP Server Port-Based Address Allocation

Add Path Support in EIGRP

Configuring OSPF with CLI

DHCPv6 Individual Address Assignment

IS-IS Inbound Filtering

Static NAT Mapping with HSRP

IPsec Anti-Replay Window Expanding and Disabling

IPv6 NEMO. Finding Feature Information. Restrictions for IPv6 NEMO

BGP Graceful Shutdown

OSPF with Multi Area Adjacency Configuration Example

OSPF Incremental SPF

scope scope {global vrf vrf-name} no scope {global vrf vrf-name} Syntax Description

L2TP IPsec Support for NAT and PAT Windows Clients

ACL Syslog Correlation

DHCP Relay Server ID Override and Link Selection Option 82 Suboptions

Configuring OSPF TTL Security Check and OSPF Graceful Shutdown

BGP Diverse Path Using a Diverse-Path Route Reflector

Nested Class Map Support for Zone-Based Policy Firewall

Using Flexible NetFlow Flow Sampling

QoS Policy Propagation via BGP

Using Flexible NetFlow Flow Sampling

EIGRP Stub Routing. Finding Feature Information. Information About EIGRP Stub Routing. EIGRP Stub Routing

RADIUS for Multiple UDP Ports

BGP Route-Map Continue

IPv6 Switching: Provider Edge Router over MPLS

Lab - Configuring Basic Single-Area OSPFv2

IPv6 Stateless Autoconfiguration

BGP Policy Accounting

Cisco Discovery Protocol Version 2

NAT Routemaps Outside-to-Inside Support

MPLS over GRE. Finding Feature Information. Prerequisites for MPLS VPN L3VPN over GRE

AAA Dead-Server Detection

An IPv6 unicast address is an identifier for a single interface, on a single node. A packet that is sent to a unicast

Object Tracking: IPv6 Route Tracking

PIM Allow RP. Finding Feature Information. Restrictions for PIM Allow RP

IPv6 Routing: RIP for IPv6

RMON Full. Finding Feature Information. Prerequisites for RMON Full

NBAR2 HTTP-Based Visibility Dashboard

BGP Dynamic Neighbors

IPv6 Routing: IS-IS Support for IPv6

Chapter 3 Lab 3-4, OSPF over Frame Relay

IP Routing: OSPF Configuration Guide, Cisco IOS XE Release 3E

IPv6 Routing: IS-IS Support for IPv6

DHCP Server Port-Based Address Allocation

Configuring IKEv2 Load Balancer

Sun RPC ALG Support for Firewalls and NAT

Sun RPC ALG Support for Firewalls and NAT

OSPF Support for Multi-VRF on CE Routers

The ISG RADIUS Proxy Support for Mobile Users Hotspot Roaming and Accounting Start Filtering feature

BGP NSF Awareness. Finding Feature Information

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups

IP Multicast Optimization: IGMP State Limit

Configuration and Management of Networks

EIGRP Dynamic Metric Calculations

SSL Custom Application

Configuring Routing Information Protocol

GET VPN Resiliency. Finding Feature Information. Prerequisites for GET VPN Resiliency

MPLS VPN Half-Duplex VRF

SSL VPN - IPv6 Support

NAT Box-to-Box High-Availability Support

Transcription:

To prevent unauthorized or invalid routing updates in your network, Open Shortest Path First version 2 (OSPFv2) protocol packets must be authenticated. There are two methods of authentication that are defined for OSPFv2: plain text authentication and cryptographic authentication. This module describes how to configure cryptographic authentication using the Hashed Message Authentication Code - Secure Hash Algorithm (HMAC-SHA). OSPFv2 specification (RFC 2328) allows only the Message-Digest 5 (MD5) algorithm for cryptographic authentication. However, RFC 5709 (OSPFv2 HMAC-SHA Cryptographic Authentication) allows OSPFv2 to use HMAC-SHA algorithms for cryptographic authentication. Finding Feature Information, page 1 Prerequisites for, page 1 Information About, page 2 How to Configure, page 3 Configuration Examples for, page 5 Additional References for, page 8 Feature Information for, page 9 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Ensure that Open Shortest Path First version 2 (OSPFv2) is configured on your network. 1

Information About Information About Configuring The feature allows you to configure a key chain on the OSPF interface to authenticate OSPFv2 packets by using HMAC-SHA algorithms. You can use an existing key chain that is being used by another protocol, or you can create a key chain specifically for OSPFv2. A key chain is a list of keys. Each key consists of a key string, which is also called the password or passcode. A key-string is essential for a key to be operational. Each key is identified by a unique key ID. To authenticate the OSPFv2 packets, it is essential that the cryptographic authentication algorithm be configured with a key. OSPFv2 supports keys with key IDs ranging from 1 to 255. The combination of the cryptographic authentication algorithm and the key is known as a Security Association (SA). The authentication key on a key chain is valid for a specific time period called lifetime. An SA has the following configurable lifetimes: Accept lifetime Send lifetime While adding a new key, the Send lifetime is set to a time in the future so that the same key can be configured on all devices in the network before the new key becomes operational. Old keys are removed only after the new key is operational on all devices in the network. When packets are received, the key ID is used to fetch the data for that key. The packet is verified using the cryptographic authentication algorithm and the configured key ID. If the key ID is not found, the packet is dropped. Use the ip ospf authentication key-chain command to configure key chains for OSPFv2 cryptographic authentication. Note If OSPFv2 is configured to use a key chain, all MD5 keys that were previously configured using the ip ospf message-digest-key command are ignored. 2

How to Configure How to Configure Defining a Key Chain SUMMARY STEPS 1. enable 2. configure terminal 3. key chain name 4. key key-id 5. key-string name 6. cryptographic-algorithm name 7. send-lifetime start-time {infinite end-time duration seconds} 8. end DETAILED STEPS Step 1 Step 2 Command or Action enable Device> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Device# configure terminal key chain name Device(config)# key chain sample1 key key-id Device(config-keychain)# key 1 Specifies the key chain name and enters key-chain configuration mode. Specifies the key identifier and enters key-chain key configuration mode. The range is from 1 to 255. 3

Defining Authentication on an Interface Step 5 Command or Action key-string name Purpose Specifies the key string. Step 6 Step 7 Step 8 Device(config-keychain-key)# key-string string1 cryptographic-algorithm name Device(config-keychain-key)# cryptographic-algorithm hmac-sha-256 send-lifetime start-time {infinite end-time duration seconds} Device(config-keychain-key)# send-lifetime local 10:00:00 5 July 2013 infinite end Device(config-keychain-key)# end Configures the key with the specified cryptographic algorithm. Sets the time period during which an authentication key on a key chain is valid to be sent during key exchange with another device. Exits key-chain key configuration mode and returns to privileged EXEC mode. Defining Authentication on an Interface SUMMARY STEPS 1. enable 2. configure terminal 3. interface type number 4. ip ospf authentication key-chain name 5. end DETAILED STEPS Step 1 Command or Action enable Purpose Enables privileged EXEC mode. 4

Configuration Examples for Command or Action Purpose Enter your password if prompted. Step 2 Device> enable configure terminal Enters global configuration mode. Step 3 Step 4 Device# configure terminal interface type number Device(config)# interface gigabitethernet0/0/0 ip ospf authentication key-chain name Specifies an interface type and number and enters interface configuration mode. Specifies the key chain for an interface. Step 5 Device(config-if)# ip ospf authentication key-chain ospf1 end Device(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Configuration Examples for OSPFv2 Cryptographic Authentication Defining a Key Chain The following example shows how to configure a key chain: Device> enable Device# configure terminal Device(config)# key chain sample1 Device(config-keychain)# key 1 Device(config-keychain-key)# key-string ThisIsASampleKey12345 Device(config-keychain-key)# cryptographic-algorithm hmac-sha-256 Device(config-keychain-key)# send-lifetime local 10:00:00 5 July 2013 infinite Device(config-keychain-key)# end 5

Verifying a Key Chain Verifying a Key Chain The following sample output from the show key chain command displays the key chain information: Device# show key chain Key-chain sample1 key 1 -- text "ThisIsASampleKey12345" accept lifetime (always valid) - (always valid) [valid now] send lifetime (10:00:00 PDT Jul 5 2013) - (infinite) The table below describes the significant fields in the output: Table 1: show ip ospf interface Field Descriptions Field key accept lifetime send lifetime Description Status of the configured key. The time interval within which the device accepts the key during key exchange with another device. The time interval within which the device sends the key during a key exchange with another device. Defining Authentication on an Interface The following example shows how to define authentication on Gigabit Ethernet interface 0/0/0: Device> enable Device# configure terminal Device(config)# interface GigabitEthernet0/0/0 Device (config-if)# ip ospf authentication key-chain sample1 Device (config-if)# end Verifying Authentication on an Interface The following sample output of the show ip ospf interface command displays the cryptographic key information: Device# show ip ospf interface GigabitEthernet0/0/0 GigabitEthernet0/0/0 is up, line protocol is up Internet Address 192.168.8.2/24, Area 1, Attached via Interface Enable Process ID 1, Router ID 10.1.1.8, Network Type BROADCAST, Cost: 10 Topology-MTID Cost Disabled Shutdown Topology Name 0 10 no no Base Enabled by interface config, including secondary ip addresses Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.1.8, Interface address 192.168.8.2 Backup Designated router (ID) 10.1.1.9, Interface address 192.168.8.9 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:00 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled 6

Verifying Authentication on an Interface Can be protected by per-prefix Loop-Free FastReroute Can be used for per-prefix Loop-Free FastReroute repair paths Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.1.1.9 (Backup Designated Router) Suppress hello for 0 neighbor(s) Cryptographic authentication enabled Sending SA: Key 25, Algorithm HMAC-SHA-256 key chain sample1 The table below describes the significant fields in the output: Table 2: show ip ospf interface Field Descriptions Field GigabitEthernet Internet Address Area Process ID Cost Topology-MTID Transmit Delay State Designated Router Backup Designated router Timer intervals configured Neighbor Count Cryptographic authentication Sending SA Description Status of the physical link and operational status of the protocol. Interface IP address, subnet mask, and area address. OSPF area. OSPF process ID. Administrative cost assigned to the interface. MTR topology Multitopology Identifier (MTID) is a number assigned so that the protocol can identify the topology associated with information that it sends to its peers. Transmit delay (in seconds), interface state, and router priority. Operational state of the interface. Designated router ID and respective interface IP address. Backup designated router ID and respective interface IP address. Configuration of timer intervals. Count of network neighbors and list of adjacent neighbors. Status of cryptographic authentication. Status of the sending SA (Security Association). Key, cryptographic algorithm, and key chain used. 7

Additional References for Additional References for Related Documents Related Topic Cisco IOS commands OSPF commands Document Title Cisco IOS Master Command List, All Releases Cisco IOS IP Routing: OSPF Command Reference Standards and RFCs Standard RFC 2328 RFC 5709 Title OSPF Version 2, April 1998 OSPFv2 HMAC-SHA Cryptographic Authentication, October 2009 Technical Assistance Description The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. Link http://www.cisco.com/cisco/web/support/index.html 8

Feature Information for Feature Information for Table 3: Feature Information for Feature Name OSPFv2 Cryptographic Authentication Releases 15.4(1)T Feature Information The OSPFv2 Cryptographic Authentication feature prevents unauthorized or invalid routing updates in your network by authenticating Open Shortest Path First version 2 (OSPFv2) protocol packets using HMAC-SHA algorithms. The following command was modified: ip ospf authentication. 9

Feature Information for 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback