Supported Platforms
Related Documentation
- ACX, J, M, MX, QFX, SRX, T Series
- OSPF Overview
- ACX, J, M, MX, SRX, T Series
- OSPF Configuration Overview
Examples: Configuring OSPF Authentication
- Understanding OSPFv2 Authentication
- Understanding OSPFv3 Authentication
- Example: Configuring Simple Authentication for OSPFv2 Exchanges
- Example: Configuring MD5 Authentication for OSPFv2 Exchanges
- Example: Configuring a Transition of MD5 Keys on an OSPFv2 Interface
- Example: Configuring IPsec Authentication for an OSPF Interface
Understanding OSPFv2 Authentication
All OSPFv2 protocol exchanges can be authenticated to guarantee that only trusted routing devices participate in the autonomous system’s routing. By default, OSPFv2 authentication is disabled.
![]() | Note: OSPFv3 does not have a built-in authentication method and relies on IP Security (IPsec) to provide this functionality. |
You can enable the following authentication types:
- Simple authentication—Authenticates by using a plain-text password that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet.
- MD5 authentication—Authenticates by using an encoded
MD5 checksum that is included in the transmitted packet. The receiving
routing device uses an authentication key (password) to verify the
packet.
You define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds. Otherwise, updates are rejected. The routing device only accepts OSPFv2 packets sent using the same key identifier (ID) that is defined for that interface.
- IPsec authentication (beginning with Junos OS Release
8.3)—Authenticates OSPFv2 interfaces, the remote endpoint of
a sham link, and the OSPFv2 virtual link by using manual security
associations (SAs) to ensure that a packet’s contents are secure
between the routing devices. You configure the actual IPsec authentication
separately.
Note: You can configure IPsec authentication together with either MD5 or simple authentication.
The following restrictions apply to IPsec authentication for OSPFv2:
- Dynamic Internet Key Exchange (IKE) SAs are not supported.
- Only IPsec transport mode is supported. Tunnel mode is not supported.
- Because only bidirectional manual SAs are supported, all OSPFv2 peers must be configured with the same IPsec SA. You configure a manual bidirectional SA at the [edit security ipsec] hierarchy level.
- You must configure the same IPsec SA for all virtual links with the same remote endpoint address, for all neighbors on OSPF nonbroadcast multiaccess (NBMA) or point-to-multipoint links, and for every subnet that is part of a broadcast link.
- OSPFv2 peer interfaces are not supported.
Because OSPF performs authentication at the area level, all routing devices within the area must have the same authentication and corresponding password (key) configured. For MD5 authentication to work, both the receiving and transmitting routing devices must have the same MD5 key. In addition, a simple password and MD5 key are mutually exclusive. You can configure only one simple password, but multiple MD5 keys.
As part of your security measures, you can change MD5 keys. You can do this by configuring multiple MD5 keys, each with a unique key ID, and setting the date and time to switch to the new key. Each unique MD5 key has a unique ID. The ID is used by the receiver of the OSPF packet to determine which key to use for authentication. The key ID, which is required for MD5 authentication, specifies the identifier associated with the MD5 key.
Understanding OSPFv3 Authentication
OSPFv3 does not have a built-in authentication method and relies on the IP Security (IPsec) suite to provide this functionality. IPsec provides such functionality as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. You can use IPsec to secure specific OSPFv3 interfaces and protect OSPFv3 virtual links.
![]() | Note: You configure the actual IPsec authentication separately from your OSPFv3 configuration and then apply IPsec to the OSPFv3 interfaces or OSPFv3 virtual links. |
OSPFv3 uses the IP authentication header (AH) and the IP Encapsulating Security Payload (ESP) portions of the IPsec Protocol to authenticate routing information between peers. AH can provide connectionless integrity and data origin authentication. It also provides protection against replays. AH authenticates as much of the IP header as possible, as well as the upper-level protocol data. However, some IP header fields might change in transit. Because the value of these fields might not be predictable by the sender, they cannot be protected by AH. ESP can provide encryption and limited traffic flow confidentiality or connectionless integrity, data origin authentication, and an anti-replay service.
IPsec is based on security associations (SAs). An SA is a set of IPsec specifications that are negotiated between devices that are establishing an IPsec relationship. This simplex connection provides security services to the packets carried by the SA. These specifications include preferences for the type of authentication, encryption, and IPsec protocol to be used when establishing the IPsec connection. An SA is used to encrypt and authenticate a particular flow in one direction. Therefore, in normal bidirectional traffic, the flows are secured by a pair of SAs. An SA to be used with OSPFv3 must be configured manually and use transport mode. Static values must be configured on both ends of the SA.
Manual SAs require no negotiation between the peers. All values, including the keys, are static and specified in the configuration. Manual SAs statically define the security parameter index (SPI) values, algorithms, and keys to be used and require matching configurations on both end points (OSPFv3 peers). As a result, each peer must have the same configured options for communication to take place.
The actual choice of encryption and authentication algorithms is left to your IPsec administrator; however, we have the following recommendations:
- Use ESP with NULL encryption to provide authentication to the OSPFv3 protocol headers only. With NULL encryption, you are choosing not to provide encryption on OSPFv3 headers. This can be useful for troubleshooting and debugging purposes. For more information about NULL encryption, see RFC 2410, The NULL Encryption Algorithm and Its Use With IPsec.
- Use ESP with non-NULL encryption for full confidentiality. With non-NULL encryption, you are choosing to provide encryption. For more information about NULL encryption, see RFC 2410, The NULL Encryption Algorithm and Its Use With IPsec.
- Use AH to provide authentication to the OSPFv3 protocol headers, portions of the IPv6 header, and portions of the extension headers.
The following restrictions apply to IPsec authentication for OSPFv3:
- Dynamic Internet Key Exchange (IKE) security associations (SAs) are not supported.
- Only IPsec transport mode is supported. In transport mode, only the payload (the data you transfer) of the IP packet is encrypted and/or authenticated. Tunnel mode is not supported.
- Because only bidirectional manual SAs are supported, all OSPFv3 peers must be configured with the same IPsec SA. You configure a manual bidirectional SA at the [edit security ipsec] hierarchy level.
- You must configure the same IPsec SA for all virtual links with the same remote endpoint address.
Example: Configuring Simple Authentication for OSPFv2 Exchanges
This example shows how to enable simple authentication for OSPFv2 exchanges.
Requirements
Before you begin:
- Configure the device interfaces. See the Router Interfaces or the Junos OS Interfaces Configuration Guide for Security Devices.
- Configure the router identifiers for the devices in your OSPF network. See Example: Configuring an OSPF Router Identifier.
- Control OSPF designated router election. See Example: Controlling OSPF Designated Router Election
- Configure a single-area OSPF network. See Example: Configuring a Single-Area OSPF Network.
- Configure a multiarea OSPF network. See Example: Configuring a Multiarea OSPF Network.
Overview
Simple authentication uses a plain-text password that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet. Plain-text passwords are not encrypted and might be subject to packet interception. This method is the least secure and should only be used if network security is not your goal.
You can configure only one simple authentication key (password) on the routing device. The simple key can be from 1 through 8 characters and can include ASCII strings. If you include spaces, enclose all characters in quotation marks (“ “).
In this example, you specify OSPFv2 interface so-0/1/0 in area 0.0.0.0, set the authentication type to simple-password, and define the key as PssWd4.
Configuration
CLI Quick Configuration
To quickly configure simple authentication, copy the following command, removing any line breaks, and then paste the command into the CLI. You must configure all routing devices within the area with the same authentication and corresponding password.
Step-by-Step Procedure
To enable simple authentication for OSPFv2 exchanges:
- Create an OSPF area.[edit]user@host# edit protocols ospf area 0.0.0.0
- Specify the interface.[edit protocols ospf area 0.0.0.0]user@host# edit interface so-0/1/0
- Set the authentication type and the password. [edit protocols ospf area 0.0.0.0 interface so-0/1/0.0]user@host# set authentication simple-password PssWd4
- If you are done configuring the device, commit the configuration.[edit protocols ospf area 0.0.0.0 interface so-0/1/0.0]user@host# commit
Note: Repeat this entire configuration on all peer OSPFv2 routing devices in the area.
Results
Confirm your configuration by entering the show protocols ospf command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
![]() | Note: After you configure the password, you do not see the password itself. The output displays the encrypted form of the password you configured. |
Verification
Confirm that the configuration is working properly.
Verifying the Configured Authentication Method
Purpose
Verify that the authentication method for sending and receiving OSPF protocol packets is configured. The Authentication Type field displays Password when configured for simple authentication.
Action
From operational mode, enter the show ospf interface and the show ospf overview commands.
Example: Configuring MD5 Authentication for OSPFv2 Exchanges
This example shows how to enable MD5 authentication for OSPFv2 exchanges.
Requirements
Before you begin:
- Configure the device interfaces. See the Router Interfaces or the Junos OS Interfaces Configuration Guide for Security Devices.
- Configure the router identifiers for the devices in your OSPF network. See Example: Configuring an OSPF Router Identifier.
- Control OSPF designated router election. See Example: Controlling OSPF Designated Router Election
- Configure a single-area OSPF network. See Example: Configuring a Single-Area OSPF Network.
- Configure a multiarea OSPF network. See Example: Configuring a Multiarea OSPF Network.
Overview
MD5 authentication uses an encoded MD5 checksum that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet.
You define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds. Otherwise, updates are rejected. The routing device only accepts OSPFv2 packets sent using the same key identifier (ID) that is defined for that interface.
In this example, you create the backbone area (area 0.0.0.0), specify OSPFv2 interface so-0/2/0, set the authentication type to md5, and then define the authentication key ID as 5 and the password as PssWd8.
Configuration
CLI Quick Configuration
To quickly configure MD5 authentication, copy the following command and paste it into the CLI.
Step-by-Step Procedure
To enable MD5 authentication for OSPFv2 exchanges:
- Create an OSPF area.[edit]user@host# edit protocols ospf area 0.0.0.0
- Specify the interface.[edit protocols ospf area 0.0.0.0]user@host# edit interface so-0/2/0
- Configure MD5 authentication and set a key ID and an authentication
password.[edit protocols ospf area 0.0.0.0 interface s0-0/2/0.0]user@host# set authentication md5 5 key PssWd8
- If you are done configuring the device, commit the configuration.[edit protocols ospf area 0.0.0.0 interface s0-0/2/0.0]user@host# commit
Note: Repeat this entire configuration on all peer OSPFv2 routing devices.
Results
Confirm your configuration by entering the show protocols ospf command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
![]() | Note: After you configure the password, you do not see the password itself. The output displays the encrypted form of the password you configured. |
Verification
Confirm that the configuration is working properly.
Verifying the Configured Authentication Method
Purpose
Verify that the authentication method for sending and receiving OSPF protocol packets is configured. When configured for MD5 authentication, the Authentication Type field displays MD5, the Active key ID field displays the unique number you entered that identifies the MD5 key, and the Start time field displays the date as Start time 1970 Jan 01 00:00:00 PST. Do not be alarmed by this start time. This is the default start time that the routing device displays if the MD5 key is effective immediately.
Action
From operational mode, enter the show ospf interface and the show ospf overview commands.
Example: Configuring a Transition of MD5 Keys on an OSPFv2 Interface
This example shows how to configure a transition of MD5 keys on an OSPFv2 interface.
Requirements
Before you begin:
- Configure the device interfaces. See the Router Interfaces or the Junos OS Interfaces Configuration Guide for Security Devices.
- Configure the router identifiers for the devices in your OSPF network. See Example: Configuring an OSPF Router Identifier.
- Control OSPF designated router election. See Example: Controlling OSPF Designated Router Election
- Configure a single-area OSPF network. See Example: Configuring a Single-Area OSPF Network.
- Configure a multiarea OSPF network. See Example: Configuring a Multiarea OSPF Network.
Overview
MD5 authentication uses an encoded MD5 checksum that is included in the transmitted packet. For MD5 authentication to work, both the receiving and transmitting routing devices must have the same MD5 key.
You define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds. Otherwise, updates are rejected. The routing device only accepts OSPFv2 packets sent using the same key identifier (ID) that is defined for that interface.
For increased security, you can configure multiple MD5 keys, each with a unique key ID, and set the date and time to switch to a new key. The receiver of the OSPF packet uses the ID to determine which key to use for authentication.
In this example, you configure new keys to take effect at 12:01 AM on the first day of the next three months on OSPFv2 interface fe-0/0/1 in the backbone area (area 0.0.0.0), and you configure the following MD5 authentication settings:
- md5—Specifies the MD5 authentication key ID. The key ID can be set to any value between 0 and 255, with a default value of 0. The routing device only accepts OSPFv2 packets sent using the same key ID that is defined for that interface.
- key—Specifies the MD5 key. Each key can be a value from 1 through 16 characters long. Characters can include ASCII strings. If you include spaces, enclose all characters in quotation marks (“ “).
- start-time—Specifies the time to start using the MD5 key. This option enables you to configure a smooth transition mechanism for multiple keys. The start time is relevant for transmission but not for receiving OSPF packets.
![]() | Note: You must set the same passwords and transition dates and times on all devices in the area so that OSPFv2 adjacencies remain active. |
Configuration
CLI Quick Configuration
To quickly configure multiple MD5 keys on an OSPFv2 interface, copy the following commands, remove any line breaks, and then paste the commands into the CLI.
Step-by-Step Procedure
To configure multiple MD5 keys on an OSPFv2 interface:
- Create an OSPF area.[edit]user@host# edit protocols ospf area 0.0.0.0
- Specify the interface.[edit protocols ospf area 0.0.0.0]user@host# edit interface fe-0/1/0
- Configure MD5 authentication and set an authentication
password and key ID.[edit protocols ospf area 0.0.0.0 interface fe-0/1/0.0]user@host# set authentication md5 1 key $2010HaL
- Configure a new key to take effect at 12:01 AM on the
first day of February, March, and April.
You configure a new authentication password and key ID for each month.
- For the month of February, enter the following:[edit protocols ospf area 0.0.0.0 interface fe-0/1/0.0]user@host# set authentication md5 2 key NeWpsswdFEB start-time 2011-02-01.00:01
- For the month of March, enter the following:[edit protocols ospf area 0.0.0.0 interface fe-0/1/0.0]user@host# set authentication md5 3 key NeWpsswdMAR start-time 2011-03-01.00:01
- For the month of April, enter the following:[edit protocols ospf area 0.0.0.0 interface fe-0/1/0.0]user@host# set authentication md5 4 key NeWpsswdAPR start-time 2011-04-01.00:01
- For the month of February, enter the following:
- If you are done configuring the device, commit the configuration.[edit protocols ospf area 0.0.0.0 interface fe-0/1/0.0]user@host# commit
Note: Repeat this entire configuration on all peer OSPFv2 routing devices.
Results
Confirm your configuration by entering the show protocols ospf command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
![]() | Note: After you configure the password, you do not see the password itself. The output displays the encrypted form of the password you configured. |
Verification
Confirm that the configuration is working properly.
Verifying the Configured Authentication Method
Purpose
Verify that the authentication method for sending and receiving OSPF protocol packets is configured. When configured for MD5 authentication with a transition of keys, the Auth type field displays MD5, the Active key ID field displays the unique number you entered that identifies the MD5 key, and the Start time field displays the time at which the routing device starts using an MD5 key to authenticate OSPF packets transmitted on the interface you configured.
Action
From operational mode, enter the show ospf interface and the show ospf overview commands.
Example: Configuring IPsec Authentication for an OSPF Interface
This example shows how to enable IP Security (IPsec) authentication for an OSPF interface.
Requirements
Before you begin:
- Configure the device interfaces. See the Router Interfaces or the Junos OS Interfaces Configuration Guide for Security Devices.
- Configure the router identifiers for the devices in your OSPF network. See Example: Configuring an OSPF Router Identifier.
- Control OSPF designated router election. See Example: Controlling OSPF Designated Router Election
- Configure a single-area OSPF network. See Example: Configuring a Single-Area OSPF Network.
- Configure a multiarea OSPF network. See Example: Configuring a Multiarea OSPF Network.
Overview
You can use IPsec authentication for both OSPFv2 and OSPFv3. You configure the actual IPsec authentication separately and apply it to the applicable OSPF configuration.
OSPFv2
Beginning with Junos OS Release 8.3, you can use IPsec authentication to authenticate OSPFv2 interfaces, the remote endpoint of a sham link, and the OSPFv2 virtual link by using manual security associations (SAs) to ensure that a packet’s contents are secure between the routing devices.
![]() | Note: You can configure IPsec authentication together with either MD5 or simple authentication. |
To enable IPsec authentication, do one of the following:
- For an OSPFv2 interface, include the ipsec-sa name statement for a specific interface:
- For a remote sham link, include the ispec-sa name statement for the remote end point of the sham
link:sham-link-remote address ipsec-sa name;
Note: If a Layer 3 VPN configuration has multiple sham links with the same remote endpoint IP address, you must configure the same IPsec security association for all the remote endpoints. You configure a Layer 3 VPN at the [edit routing-instances routing-instance-name instance-type] hierarchy level. For more information about Layer 3 VPNs, see the Junos OS VPNs Library for Routing Devices.
- For a virtual link, include the ipsec-sa name statement for a specific virtual link:virtual-link neighbor-id router-id transit-area area-id ipsec-sa name;
OSPFv3
OSPFv3 does not have a built-in authentication method and relies on IPsec to provide this functionality. You use IPsec authentication to secure OSPFv3 interfaces and protect OSPFv3 virtual links by using manual SAs to ensure that a packet’s contents are secure between the routing devices.
To apply authentication, do one of the following:
- For an OSPFv3 interface, include the ipsec-sa name statement for a specific interface:
- For a virtual link, include the ipsec-sa name statement for a specific virtual link:virtual-link neighbor-id router-id transit-area area-id ipsec-sa name;
Tasks to Complete for Both OSPFv2 and OSPFv3
In this example, you perform the following tasks:
- Configure IPsec authentication. To do this, define a manual
SA named sa1 and specify the processing direction, the protocol
used to protect IP traffic, the security parameter index (SPI), and
the authentication algorithm and key.
- Configure the following option at the [edit security ipsec security-association sa-name mode] hierarchy level:
transport—Specifies transport mode. This mode protects traffic when the communication endpoint and the cryptographic endpoint are the same. The data portion of the IP packet is encrypted, but the IP header is not.
- Configure the following option at the [edit security ipsec security-association sa-name manual direction] hierarchy level:
bidirectional—Defines the direction of IPsec processing. By specifying bidrectional, the same algorithms, keys, and security paramater index (SPI) values you configure are used in both directions.
- Configure the following options at the [edit security ipsec security-association sa-name manual direction bidirectional] hierarchy level:
protocol—Defines the IPsec protocol used by the manual SA to protect IP traffic. You can specify either the authentication header (AH) or the Encapsulating Security Payload (ESP). If you specify AH, which you do in this example, you cannot configure encryption.
spi—Configures the SPI for the manual SA. An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host. The sending host uses the SPI to identify and select which SA to use to secure every packet. The receiving host uses the SPI to identify and select the encryption algorithm and key used to decrypt packets. In this example, you specify 256.
authentication—Configures the authentication algorithm and key. The algorithm option specifies the hash algorithm that authenticates packet data. In this example, you specify hmac-md5-96, which produces a 128-bit digest. The key option indicates the type of authentication key. In this example, you specify ascii-text-key, which is 16 ASCII characters for the hmac-md5-96 algorithm.
- Configure the following option at the [edit security ipsec security-association sa-name mode] hierarchy level:
- Enable IPsec authentication on OSPF interface so-0/2/0.0 in the backbone area (area 0.0.0.0) by including the name of the manual SA sa1 that you configured at the [edit security ipsec] hierarchy level.
Configuration
Configuring Security Associations
CLI Quick Configuration
To quickly configure a manual SA to be used for IPsec authentication on an OSPF interface, copy the following commands, remove any line breaks, and then paste the commands into the CLI.
Step-by-Step Procedure
To configure a manual SA to be used on an OSPF interface:
- Specify a name for the SA.[edit]user@host# edit security ipsec security-association sa1
- Specify the mode of the SA.[edit security ipsec security-association sa1 ]user@host# set mode transport
- Configure the direction of the manual SA.[edit security ipsec security-association sa1 ]user@host# set manual direction bidirectional
- Configure the IPsec protocol to use.[edit security ipsec security-association sa1 ]user@host# set manual direction bidirectional protocol ah
- Configure the value of the SPI.[edit security ipsec security-association sa1 ]user@host# set manual direction bidirectional spi 256
- Configure the authentication algorithm and key.[edit security ipsec security-association sa1 ]user@host# set manual direction bidirectional authentication algorithm hmac-md5-96 key ascii-text 123456789012abc
- If you are done configuring the device, commit the configuration.[edit security ipsec security-association sa1 ]user@host# commit
Note: Repeat this entire configuration on all peer OSPF routing devices.
Results
Confirm your configuration by entering the show security ipsec command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
![]() | Note: After you configure the password, you do not see the password itself. The output displays the encrypted form of the password you configured. |
Enabling IPsec Authentication for an OSPF Interface
CLI Quick Configuration
To quickly apply a manual SA used for IPsec authentication to an OSPF interface, copy the following command and paste it into the CLI.
Step-by-Step Procedure
To enable IPsec authentication for an OSPF interface:
- Create an OSPF area.
Note: To specify OSPFv3, include the ospf3 statement at the [edit protocols] hierarchy level.
[edit]user@host# edit protocols ospf area 0.0.0.0 - Specify the interface.[edit protocols ospf area 0.0.0.0]user@host# edit interface so-0/2/0
- Apply the IPsec manual SA.[edit protocols ospf area 0.0.0.0 interface so-0/2/0.0]user@host# set ipsec-sa sa1
- If you are done configuring the device, commit the configuration.[edit protocols ospf area 0.0.0.0 interface so-0/2/0.0]user@host# commit
Note: Repeat this entire configuration on all peer OSPF routing devices.
Results
Confirm your configuration by entering the show protocols ospf command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
To confirm your OSPFv3 configuration, enter the show protocols ospf3 command.
Verification
Confirm that the configuration is working properly.
- Verifying the IPsec Security Association Settings
- Verifying the IPsec Security Association on the OSPF Interface
Verifying the IPsec Security Association Settings
Purpose
Verify the configured IPsec security association settings. Verify the following information:
- The Security association field displays the name of the configured security association.
- The SPI field displays the value you configured.
- The Mode field displays transport mode.
- The Type field displays manual as the type of security association.
Action
From operational mode, enter the show ipsec security-associations command.
Verifying the IPsec Security Association on the OSPF Interface
Purpose
Verify that the IPsec security association that you configured has been applied to the OSPF interface. Confirm that the IPSec SA name field displays the name of the configured IPsec security association.
Action
From operational mode, enter the show ospf interface detail command for OSPFv2, and enter the show ospf3 interface detail command for OSPFv3.
Related Documentation
- ACX, J, M, MX, QFX, SRX, T Series
- OSPF Overview
- ACX, J, M, MX, SRX, T Series
- OSPF Configuration Overview
Published: 2013-07-22
Supported Platforms
Related Documentation
- ACX, J, M, MX, QFX, SRX, T Series
- OSPF Overview
- ACX, J, M, MX, SRX, T Series
- OSPF Configuration Overview