OSPF/OSPFv3

Overview

OSPF/OSPFv3 supports packet authentication, whereby packets are accepted only if they are authenticated. If packets fail to be authenticated, a neighbor relationship cannot be established. If area authentication is configured, all the devices in an area must use the same authentication mode and password. For example, all devices in area 0 are configured with simple authentication and the password abc. When interface authentication is used, an authentication mode and password are set between neighboring devices. Interface authentication takes precedence over area authentication.

OSPF/OSPFv3 is susceptible to mainly forged packet-based attacks. To identify and discard these packets, packet authentication can be configured.

An attacker may use the following methods to initiate attacks:

Change the aging time of packets to the maximum value so that all devices flood these packets.
Advertise the LSAs in which the sequence numbers are equal to or close to the maximum value.
Change the sequence number when the state of the encryption sequence number resets during a neighbor restart.
Change the neighbor list in Hello packets.

Impact on the System

None

Procedure

Configure OSPF area authentication.
1. Enter the system view.
```
system-view
```
2. Enter the OSPF view.
```
ospf [ process-id ]
```
3. Enter the OSPF area view.
```
area area-id
```
4. Configure one of the following authentication modes for the OSPF area as required:
  - Configure simple authentication.
```
authentication-mode simple [ plain SPlainText | [ cipher ] SCipherText ]
```
    plain indicates the cleartext mode. cipher indicates the ciphertext mode.
    
    For security purposes, you are advised to use the ciphertext mode and periodically change the password. Cleartext mode poses security risks, because it stores the password as cleartext in configuration scripts.
  - Configure ciphertext authentication.
```
authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ KeyID { plain SPlainText | [ cipher ] SCipherText } ]
```
    plain indicates the cleartext mode. cipher indicates the ciphertext mode. By default, the ciphertext mode is used.
    
    For security purposes, you are advised to use HMAC-SHA256 authentication rather than simple, MD5, or HMAC-MD5 authentication.
  - Configure keychain authentication.
```
authentication-mode keychain Keychain-Name
```
    Before using the Keychain authentication, you must run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, the OSPF authentication will fail.
Configure OSPF interface authentication.
1. Enter the system view.
```
system-view
```
2. Enter the interface view.
```
interface interface-type interface-number
```
3. Configure one of the following authentication modes for the OSPF interface as required:
  - Configure simple authentication.
```
ospf authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ]
```
    plain indicates the cleartext mode. cipher indicates the ciphertext mode.
    
    For security purposes, you are advised to use the ciphertext mode and periodically change the password. Cleartext mode poses security risks, because it stores the password as cleartext in configuration scripts.
  - Configure ciphertext authentication.
```
ospf authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ KeyID { plain plain-text | [ cipher ] cipher-text } ]
```
    plain indicates the cleartext mode. cipher indicates the ciphertext mode. For MD5, HMAC-MD5, or HMAC-SHA256 authentication, cipher is used by default.
    
    For security purposes, you are advised to use HMAC-SHA256 authentication rather than simple, MD5, or HMAC-MD5 authentication.
  - Configure keychain authentication.
```
ospf authentication-mode keychain keychain-name
```
    Before using the Keychain authentication, you must run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, the OSPF authentication will fail.
Configure OSPFv3 area authentication.
1. Enter the system view.
```
system-view
```
2. Enter the OSPFv3 process view.
```
ospfv3 [ process-id ]
```
3. Enter the OSPFv3 area view.
```
area area-id
```
4. Configure OSPFv3 area authentication.
```
authentication-mode { hmac-sha256 key-id key-id { plain plain-text | [ cipher ] cipher-text } | keychain keychain-name }
```
If you use OSPFv3 area authentication, the authentication and password configurations on all routers in the same area must be the same.

Configure OSPFv3 process authentication.

Enter the system view.
```
system-view
```
Enter the OSPFv3 process view.
```
ospfv3 [ process-id ]
```

Configure OSPFv3 process authentication.

authentication-mode { hmac-sha256 key-id key-id { plain plain-text | [ cipher ] cipher-text } | keychain keychain-name }

Configure OSPFv3 interface authentication.
1. Enter the system view.
```
system-view
```
2. Enter the interface view.
```
interface interface-type interface-number
```
3. Configure OSPFv3 interface authentication.
```
ospfv3 authentication-mode { hmac-sha256 key-id key-id { plain plain-text | [ cipher ] cipher-text } | keychain keychain-name } [ instance instance-id ]
```
- OSPFv3 interface authentication takes precedence over OSPFv3 area authentication.
- If you use HMAC-SHA256 authentication, the authentication and password configurations on all the interfaces on the same network segment must be the same.

Checking the Security Hardening Result

Run the display ospf [ process-id ] brief command to check OSPF area authentication configurations.
Run the display ospf [ process-id ] interface [ all | interface-type interface-number ] [ verbose ] command to check OSPF interface authentication configurations.
Run the display ospfv3 [ process-id ] interface [ areaarea-id ] [ interface-typeinterface-number ] command to check OSPFv3 aera and interface configurations.