How to OSPF MD5 Authentication

OSPF supports routing protocol authentication using MD5 Authentication. It is more secure than plain text authentication. It uses the MD5 algorithm to calculate a hash value from the contents of the OSPF packet and a password and then the hash value is transmitted in the packet. The receiver side, which knows the password, calculates its hash value. If the message is unchanged, the hash value of the receiver side should match the hash value of the sender side which is transmitted with the message.

The MD5 configuration is very similar to the configuration of clear-text authentication. It can be enabled globally for all interfaces or on a per-interface basis. To enable OSPF MD5 globally, configure:

  • area <area-id>authentication message-digest router configuration mode command.
  • ip ospf message-digest-key <key> md5 <password>interface configuration mode command.

If we apply this method, the IOs forces authentication on all OSPF enabled interfaces. Then ip ospf message-digest-key <key> md5 <password> command is compulsory on all interfaces otherwise it will not be able to form adjacencies with other OSPF neighbours.

We can configure MD5 authentication on a per-interface basis. To enable MD5 on a per-interface basis, configure:

  • ip ospf message-digest-key <key> md5 <password>interface configuration mode command.
  • ip ospf authentication message-digest interface configuration mode command.

We can configure global and per-interface OSPF MD5 authentications on the same router. Though, the interface setting overrides the global setting. It is necessary that MD5 passwords not to be the same throughout an area; but, they do need to be the same between neighbours.

OSPF MD5 Authentication Example

In Figure 1 we have configured R1 to enable OSPF MD5 authentication on all interfaces globally. You can see the console message that the OSPF neighbour adjacencies with R2 and R3 have changed to the Downstate from the full state because R2 and R3 have not yet been configured with MD5.

MD5 Authentication

We can configure MD5 as an alternative to globally enabling MD5 authentication; Figure 2 illustrates the configuration on a per-interface basis for R1.

Now the information message is not seeing because the neighbour adjacencies with R1 and R2 already in downstate, and the commands overwrite the globally configure MD5 authentication. After configuring the MD5 Authentication on R1, we should configure the MD5 authentication on R2, R3 and R3 using the same commands.

Verifying OSPF MD5 Authentication

We can verify MD5 configuration using the show ip ospf interface command in privileged EXEC mode. Figure 3 illustrates the output of this command. We can also verify the MD5 configuration by verifying the routing table of all routers.