ospf authentication-mode
Function
The ospf authentication-mode command sets the authentication mode and key between adjacent devices.
The undo ospf authentication-mode command removes the authentication mode that has been set.
By default, the interface does not authenticate OSPF packets.
Format
ospf authentication-mode { simple [ plain plain-text | [ cipher ] cipher-text ] | null }
ospf authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]
ospf authentication-mode keychain keychain-name
undo ospf authentication-mode
Parameters
| Parameter | Description | Value |
|---|---|---|
simple |
Indicates simple authentication. |
- |
plain |
Indicates the plain authentication. You can only type in the simple text, and it displays as simple text when the configuration file is viewed. NOTE:
When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically. |
- |
plain-text |
Specifies the password in simple text mode. |
|
cipher |
Indicates the cipher authentication. You can type in the simple text or the ciphertext, and it is displayed as the ciphertext when the configuration file is viewed. |
- |
cipher-text |
Specifies the password in ciphertext mode. |
|
null |
Indicates the null authentication mode. |
- |
md5 |
Indicates MD5 authentication. |
- |
hmac-md5 |
Indicates HMAC-MD5 authentication. |
- |
hmac-sha256 |
Indicates HMAC-SHA256 authentication. NOTE:
HAMC-SHA256 authentication mode is better and more secure than other authentication modes. To ensure high security, HAMC-SHA256 authentication algorithm is recommended. |
- |
key-id |
Specifies authentication key ID of the cipher authentication of the interface. The key ID must be consistent with that of the peer. |
The value is an integer ranging from 1 to 255. |
keychain keychain-name |
Indicates the keychain authentication. NOTE:
Before configuring this parameter, you must run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, the OSPF authentication will fail. |
The value must be the name of an existing keychain. |
Views
Ethernet interface view, Ethernet sub-interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view, Tunnel interface view, Loopback interface view, Dialer interface view, VLANIF interface view, Virtual-Template interface view, BDIF interface view
Usage Guidelines
Usage Scenario
By default, authentication is not configured for OSPF interface. Configuring authentication is recommended to ensure system security.
The TCP/IP protocol suite has inherent defects and flawed implementation. Network attacks have an increasingly larger impact on TCP/IP networks. The attacks on network devices, particularly, may lead to network failure. By configuring the authentication, you can make an OSPF network more secure.
Configuration Impact
The interface authentication mode is used to set the authentication mode and password between neighboring devices. Its priority is higher than the area authentication mode.
Precautions
Null is an authentication mode.
Interfaces on devices on one network segment must be configured with the same authentication mode and key.
Example
# GigabitEthernet 0/0/1 of FW_A and GigabitEthernet 0/0/2 of FW_B are on the same network segment 192.168.0.0. Configure the interfaces to support hmac-sha256 authentication mode. The password is Huawei-123.
<sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ospf authentication-mode hmac-sha256 23 cipher Hw-123
<sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ospf authentication-mode hmac-sha256 23 cipher Hw-123