[x]

OSPF commands > ospf authentication-mode

 

 Next

ospf authentication-mode

Use ospf authentication-mode to set the authentication mode and key on an interface.

Use undo ospf authentication-mode to remove specified configuration.

Syntax

For MD5/HMAC-MD5 authentication:

ospf authentication-mode { hmac-md5 | md5 } key-id { cipher cipher-string | plain plain-string }

undo ospf authentication-mode { hmac-md5 | md5 } key-id

For simple authentication:

ospf authentication-mode simple { cipher cipher-string | plain plain-string }

undo ospf authentication-mode simple

Default

No authentication is performed.

Views

Interface view

Predefined user roles

network-admin

mdc-admin

Parameters

hmac-md5: Specifies HMAC-MD5 authentication.

md5: Specifies MD5 authentication.

simple: Specifies simple authentication.

key-id: Specifies a key by its ID in the range of 1 to 255.

cipher: Sets a ciphertext key.

cipher-string: Specifies a ciphertext key. This argument is case sensitive. If simple is specified, the key must be a string of 33 to 41 characters. If md5 or hmac-md5 is specified, the key must be a string of 33 to 53 characters.

plain: Sets a plaintext key.

plain-string: Specifies a plaintext key. This argument is case sensitive. If simple is specified, the key must be a string of 1 to 8 characters. If md5 or hmac-md5 is specified, the key must be a string of 1 to 16 characters.

Usage guidelines

For security purposes, all keys, including keys configured in plain text, are saved in cipher text.

The interfaces attached to the same network segment must have the same key. You can specify either MD5/HMAC-MD5 authentication or simple authentication for an OSPF interface. For MD5/HMAC-MD5 authentication, you can configure multiple keys by executing this command multiple times, and each command must have a unique key ID and key string.

To modify the key of an OSPF interface, perform the following key rollover configurations:

  1. Configure a new MD5/HMAC-MD5 authentication key for the interface. If the new key is not configured on neighbor devices, MD5/HMAC-MD5 authentication key rollover is triggered. During key rollover, OSPF sends multiple packets that contain both the new and old MD5/HMAC-MD5 authentication keys to make sure all neighbor devices can pass the authentication.

  2. Configure the new MD5/HMAC-MD5 authentication key on all neighbor devices. When the local device receives packets with the new key from all neighbor devices, it exits MD5 key rollover.

  3. Delete the old MD5/HMAC-MD5 authentication key from the local device and all its neighbors. This operation helps prevent attacks from devices that use the old key for communication and reduce system resources and bandwidth consumption caused by key rollover.

Examples

# Enable MD5 authentication for the network 131.119.0.0/16 in Area 1. Set the interface key ID to 15, and plaintext key to 123456.

<Sysname> system-view
[Sysname] ospf 100
[Sysname-ospf-100] area 1
[Sysname-ospf-100-area-0.0.0.1] network 131.119.0.0 0.0.255.255
[Sysname-ospf-100-area-0.0.0.1] authentication-mode md5
[Sysname-ospf-100-area-0.0.0.1] quit
[Sysname-ospf-100] quit
[Sysname] interface vlan-interface 10
[Sysname-Vlan-interface10] ospf authentication-mode md5 15 plain 123456

# Enable simple authentication for the network 131.119.0.0/16 in Area 1. Set the plaintext key to 123456 on VLAN-interface 10.

<Sysname> system-view
[Sysname] ospf 100
[Sysname-ospf-100] area 1
[Sysname-ospf-100-area-0.0.0.1] network 131.119.0.0 0.0.255.255
[Sysname-ospf-100-area-0.0.0.1] authentication-mode simple
[Sysname-ospf-100-area-0.0.0.1] quit
[Sysname-ospf-100] quit
[Sysname] interface vlan-interface 10
[Sysname-Vlan-interface10] ospf authentication-mode simple plain 123456

Related commands

authentication-mode

prev

 

up

 next

ospf area 

home

 ospf bfd enable

© Copyright 2016 Hewlett Packard Enterprise Development LP