Introduction to OSPF Authentication

The role of routers in a network is so crucial that they are often the targets of network attacks. The routers are also at risk from the attack just as much as end-user systems. Routing systems can be attacked by disrupting the routing peers or by falsifying the information passed within the routing protocol. Falsified routing information causes systems to misinform each other, also cause a denial-of-service (DoS) attack, or cause traffic to follow a path it would not normally follow. The false routing information results following:

  • Create routing loops
  • It can be monitored on an insecure link
  • Discard original traffic

Secure Routing Updates

To exchange routing update securely, enable OSPF authentication. The OSPF authentication can be none or null, simple password authentication, or Message Digest 5 (MD5) authentication.
  • Null– Null is the default way of OSPF routing update exchange. Using this method no authentication is used.
  • Simple password authentication– This is a plaintext authentication because the password in the update is sent in plaintext. This is a legacy method of OSPF authentication.
  • MD5 authentication– MD5 authentication provides higher security because MD5 never exchange password between peers. It uses the MD5 algorithm. This is the safest and recommended way of authentication.  RIPv2, EIGRP, IS-IS, and BGP also support different forms of MD5 authentication.

Using the MD5 authentication the router combines the routing update message with the pre-shared secret key and calculates the signature using the MD5 algorithm. The signature is known as a hash value.

MD5 does not encrypt the message; therefore, the content is easily readable. The receiving router opens the packet, combines the routing message with the pre-shared secret key and calculates the signature using the MD5 algorithm. If the signatures match, then the receiving router accepts the routing update otherwise the receiving router discards the update. OSPFv3 did not include any OSPF authentication capabilities of its own because it bases completely on IPSec to secure communications between neighbours.