authentication-mode

Use authentication-mode to specify an authentication mode for an OSPF area.

Use undo authentication-mode to remove the configuration.

Syntax

For MD5/HMAC-MD5 authentication:

authentication-mode { hmac-md5 | md5 } key-id { cipher | plain } string

undo authentication-mode [ { hmac-md5 | md5 } key-id ]

For simple authentication:

authentication-mode simple { cipher | plain } string

undo authentication-mode

For keychain authentication:

authentication-mode keychain keychain-name

undo authentication-mode

Default

No authentication is performed for an area.

Views

OSPF area view

Predefined user roles

network-admin

Parameters

hmac-md5: Specifies the HMAC-MD5 authentication mode.

md5: Specifies the MD5 authentication mode.

simple: Specifies the simple authentication mode.

key-id: Specifies a key by its ID in the range of 0 to 255.

cipher: Specifies a key in encrypted form.

plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive.

keychain: Specifies the keychain authentication mode.

keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

To establish or maintain adjacencies, routers in the same area must have the same authentication mode and key.

If MD5 or HMAC-MD5 authentication is configured, you can configure multiple keys, each having a unique key ID and key string. As a best practice to minimize the risk of key compromise, use only one key for an area and delete the old key after key replacement.

To replace the key used for MD5 or HMAC-MD5 authentication in an area, you must configure the new key before removing the old key from each router. OSPF uses the key rollover mechanism to ensure that the routers can pass authentication before the replacement is complete across the area. After you configure a new key on a router, the router sends copies of the same packet, each authenticated by a different key, including the new key and the keys in use. This practice continues until the router detects that all its neighbors have the new key.

When keychain authentication is configured for an OSPF area, OSPF performs the following operations before sending a packet:

  1. Obtains a valid send key from the keychain.

    OSPF does not send the packet if it fails to obtain a valid send key.

  2. Uses the key ID, authentication algorithm, and key string to authenticate the packet.

    If the key ID is greater than 255, OSPF does not send the packet.

When keychain authentication is configured for an OSPF area, OSPF performs the following operations after receiving a packet:

  1. Uses the key ID carried in the packet to obtain a valid accept key from the keychain.

    OSPF discards the packet if it fails to obtain a valid accept key.

  2. Uses the authentication algorithm and key string for the valid accept key to authenticate the packet.

    If the authentication fails, OSPF discards the packet.

The authentication algorithm can only be MD5 or HMAC-MD5 and the ID of keys used for authentication can only be in the range of 0 to 255.

Examples

# Configure OSPF Area 0 to use the MD5 authentication mode, and set the key ID to 15 and the key to abc in plaintext form.

<Sysname> system-view
[Sysname] ospf 100
[Sysname-ospf-100] area 0
[Sysname-ospf-100-area-0.0.0.0] authentication-mode md5 15 plain abc

Related commands

ospf authentication-mode