ospf authentication-mode
Use ospf authentication-mode to set the authentication mode and key on an interface.
Use undo ospf authentication-mode to remove specified configuration.
Syntax
For MD5/HMAC-MD5 authentication:
ospf authentication-mode { hmac-md5 | md5 } key-id { cipher | plain } string
undo ospf authentication-mode { hmac-md5 | md5 } key-id
For simple authentication:
ospf authentication-mode simple { cipher | plain } string
undo ospf authentication-mode simple
For keychain authentication:
ospf authentication-mode keychain keychain-name
undo ospf authentication-mode keychain
Default
No authentication is performed for an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
hmac-md5: Specifies HMAC-MD5 authentication.
md5: Specifies MD5 authentication.
simple: Specifies simple authentication.
key-id: Specifies a key by its ID in the range of 1 to 255.
cipher: Specifies a key in encrypted form.
plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
In simple authentication mode, the plaintext form of the key is a string of 1 to 8 characters. The encrypted form of the key is a string of 33 to 41 characters.
In MD5/HMAC-MD5 authentication mode, the plaintext form of the key is a string of 1 to 16 characters. The encrypted form of the key is a string of 33 to 53 characters.
keychain: Specifies keychain authentication.
keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters.
Usage guidelines
To establish or maintain adjacencies, interfaces attached to the same network segment must have the same authentication mode and key.
If MD5 or HMAC-MD5 authentication is configured, you can configure multiple keys, each having a unique key ID and key string. To minimize the risk of key compromise, use only one key for an interface and delete the old key after key replacement.
To replace the key used for MD5 or HMAC-MD5 authentication on an interface, you must configure the new key before removing the old key from each router. OSPF uses the key rollover mechanism to ensure that the routers can pass authentication before the replacement is complete on the interface. After you configure a new key on a router, the router sends copies of the same packet, each authenticated by a different key, including the new key and the keys in use. This practice continues until the router detects that all its neighbors have the new key.
When keychain authentication is configured for an OSPF interface, OSPF performs the following operations before sending a packet:
Obtains a valid send key from the keychain.
OSPF does not send the packet if it fails to obtain a valid send key.
Uses the key ID, authentication algorithm, and key string to authenticate the packet.
If the key ID is greater than 255, OSPF does not send the packet.
When keychain authentication is configured for an OSPF interface, OSPF performs the following operations after receiving a packet:
Uses the key ID carried in the packet to obtain a valid accept key from the keychain.
OSPF discards the packet if it fails to obtain a valid accept key.
Uses the authentication algorithm and key string for the valid accept key to authenticate the packet.
If the authentication fails, OSPF discards the packet.
The authentication algorithm can only be MD5 or HMAC-MD5 and the ID of keys used for authentication can only be in the range of 0 to 255.
Examples
# On VLAN-interface 10, enable MD5 authentication, and set the interface key ID to 15 and the key to 123456 in plaintext form.
<Sysname> system-view [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] ospf authentication-mode md5 15 plain 123456
# On VLAN-interface 10, enable simple authentication, and set the key to 123456 in plaintext form.
<Sysname> system-view [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] ospf authentication-mode simple plain 123456
Related commands
authentication-mode