NETWORK LESSON

OSPF Authentications (Method 1)

Published by

Recto Orpia

on


My lecture notes on OSPF authentications will have a deep level of understanding of OSPF Authentications and I will be looking into the OSPF packet levels through debugs to understand the behavior of  OSPF when authentications were required to formed the adjacency.

Below will be my topology for this part of OSPF topic,

 

Laboratory Objective:

1. Setup Area 0 to used Plain-Text OSPF Authentications.

2. Setup Area 2to used MD5 OSPF Authentications

3. Determine from the results of “debug ip ospf packets” whether OSPF have an existing authentications.

Here are my router configurations:

 MANILA#sh run | sec ospf
router ospf 1
 network 10.0.0.0 0.255.255.255 area 1
 network 0.0.0.0 255.255.255.255 area 0
MANILA#



MELBOURNE#sh run | sec ospf
router ospf 1
 network 20.20.20.0 0.0.0.255 area 0
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 2
MELBOURNE#

SINGAPORE#sh run | sec ospf
router ospf 1
 network 0.0.0.0 255.255.255.255 area 2
SINGAPORE#


>> My configurations for MANILA is telling us that all networks within Area 1 can be advertised into OSPF.

 >> Similarly, I have advertise “any” ip address on SINGAPORE router.


As seen below, the OSPF adjacencies were formed.

MANILA#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
20.20.20.1        0   FULL/  –        00:00:36    192.168.12.2    Serial3/0
MANILA#

MELBOURNE#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.13.1        0   FULL/  –        00:00:34    192.168.12.1    Serial3/0
30.30.30.1        0   FULL/  –        00:00:35    192.168.23.3    Serial3/1
MELBOURNE#






SINGAPORE#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
20.20.20.1        0   FULL/  –        00:00:32    192.168.23.2    Serial3/1
SINGAPORE#

Now, what I wanted to do is to assigned “P@ssw0rd” as my Plain-Text password  to established the Authenticated neighbors between MANILA and MELBOURNE router.

 MANILA(config)#int s3/0    <<<< OSPF interface
MANILA(config-if)#ip ospf authentication  <<< enabling authentication
MANILA(config-if)#ip ospf authentication-key P@ssw0rd123 <<< I intentionally set more than 8 characters and see what happens.
% OSPF: Warning: The password/key will be truncated to 8 characters   <<< So it does have a limitations up to 8 characters.
MANILA(config-if)#ip ospf authentication-key P@ssw0rd   <<< Set up the correct Key.
MANILA(config-if)#^Z


*Aug  2 16:30:08.771: %SYS-5-CONFIG_I: Configured from console by console  

Let’s see what happens on MANILA & MELBOURNE routers. I actually enabled “debug ip ospf adjacency”  on MELBOURNE to check what does the debug outputs tells us.

 MELBOURNE#debug ip ospf adj
OSPF adjacency debugging is on
 *Aug  2 16:55:14.619: %SYS-5-CONFIG_I: Configured from console by console  >>>

 MANILA#
*Aug  2 16:30:32.111: %OSPF-5-ADJCHG: Process 1, Nbr 20.20.20.1 on Serial3/0 from FULL to DOWN, Neighbor Down: Dead timer expired  >>>As seen the adjacency were broke after
 
 MELBOURNE#
*Aug  2 16:55:13.423: OSPF-1 ADJ   Se3/0: Rcv pkt from 192.168.12.1 : Mismatched Authentication type. Input packet specified type 1, we use type 0

*Aug  2 16:55:45.055: OSPF-1 ADJ   Se3/0: 10.10.13.1 address 192.168.12.1 is dead, state DOWN
*Aug  2 16:55:45.059: %OSPF-5-ADJCHG: Process 1, Nbr 10.10.13.1 on Serial3/0 from FULL to DOWN, Neighbor Down: Dead timer expired



Observation:

1. The moment that I have enabled the “ip ospf authentication” on MANILA router,  It has to wait for the Dead Interval of 40 seconds before it declares its neighbor as unreachable. As the link between MANILA and MELBOURNE is using a Serial link, it has a default Hello Interval of 10 seconds. 
 
MANILA#sh ip ospf interface s3/0
Serial3/0 is up, line protocol is up
  Internet Address 192.168.12.1/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 10.10.13.1, Network Type POINT_TO_POINT, Cost: 64
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           64        no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5


2. Another Observations is that MELBOURNE have received a packet from 192.168.12.1 (MANILA router) which tells that there was a Mismatched Authentications (Type 1) and inviting MELBOURNE to used a ClearText Authentications ( we used type 0).


Let’s complete the configurations of both routers. The moment, I have set up the Cleartext password on MELBOURNE, adjacency were formed.


MELBOURNE(config)#int s3/0
MELBOURNE(config-if)#ip ospf authentication
MELBOURNE(config-if)#ip ospf authentication-key P@ssw0rd
MELBOURNE(config-if)#^Z

*Aug  2 17:09:43.039: %OSPF-5-ADJCHG: Process 1, Nbr 10.10.13.1 on Serial3/0 from LOADING to FULL, Loading Done
MELBOURNE#


Let’s check the adjacency between MANILA and MELBOURNE router.

MANILA#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
20.20.20.1        0   FULL/  –        00:00:30    192.168.12.2    Serial3/0
MANILA#


Now, we now that we have set up a clear text password between MANILA and MELBOURNE but Cisco routers has a way to encrypted the password but there were some ways to decrypt it as well. For the sake of this notes, I will just enable “service password-encryption just to hide the clear text password.


MANILA# sh run int s3/0
Building configuration…

Current configuration : 151 bytes
!
interface Serial3/0
 ip address 192.168.12.1 255.255.255.0
 ip ospf authentication
 ip ospf authentication-key P@ssw0rd
 serial restart-delay 0
end

MANILA(config)# service  password-encryption
MANILA(config)#^Z

MANILA# sh run int s3/0

interface Serial3/0
 ip address 192.168.12.1 255.255.255.0
 ip ospf authentication
 ip ospf authentication-key 7 13353701181B54382F
 serial restart-delay 0

One more important concepts that I would like to share here is the output of “debug ip ospf packets”. As we can see from logs which I captured from MELBOURNE router, when I did not set the password on both links, it is showing that “AUT:0” but the moment that I have enabled the Authentications on both routers, it has changed into “AUT:1”. Below is the meaning of that debug output.


                         


MELBOURNE#debug ip ospf packet
OSPF packet debugging is on
MELBOURNE#
*Aug  2 17:26:52.019: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:10.10.10.1 aid:0.0.0.2 chk:8864 aut:0 auk: from Serial3/1

*Aug  2 17:27:58.195: OSPF-1 PAK  : rcv. v:2 t:1 l:44 rid:10.10.13.1 aid:0.0.0.0 chk:D592 aut:1 auk: from Serial3/0
*Aug  2 17:27:58.203: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:10.10.13.1 aid:0.0.0.0 chk:AD79 aut:1 from Serial3/1



                      Take note of the below configurations for OSPF  Plain-Text  Authentications






Part 2. Let’s set up the Authentication between MELBOURNE and SINGAPORE as MD5. I will still be using ” P@ssw0rd” as my password/key.

  I still have my adjacency to MELBOURNE from SINGAPORE router,

SINGAPORE#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
20.20.20.1        0   FULL/  –        00:00:39    192.168.23.2    Serial3/1
SINGAPORE#

I have a “debug ip ospf packets’ enabled on MELBOURNE router and what it tells me currently is that there’s no authentications between MELBOURNE and SINGAPORE, e.g. AU:0

MELBOURNE#
*Aug  2 17:34:44.647: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:10.10.13.1 aid:0.0.0.0 chk:AD79 aut:1 auk: from Serial3/0
*Aug  2 17:34:48.527: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:30.30.30.1 aid:0.0.0.2 chk:8864 aut:0 auk: from Serial3/1
*Aug  2 17:34:54.039: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:10.10.13.1 aid:0.0.0.0 chk:AD79 aut:1 auk: from Serial3/0
*Aug  2 17:34:57.951: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:30.30.30.1 aid:0.0.0.2 chk:8864 aut:0 auk: from Serial3/1


Now, let me enabled MD5 first from SINGAPORE router,

SINGAPORE(config)#int s3/1

SINGAPORE(config-if)#ip ospf authentication message-digestSINGAPORE(config-if)#ip ospf  message-digest-key 100 md5 P@ssw0rd
SINGAPORE(config-if)#^Z
SINGAPORE#

Let’s observed the logs on MELBOURNE router. Similarly, the adjacency were reset between MELBOURNE and SINGAPORE and it’s telling us that their were a Mismtached Authentications.


MELBOURNE#

*Aug  2 17:39:11.727: OSPF-1 ADJ   Se3/1: Rcv pkt from 192.168.23.3 : Mismatched Authentication type. Input packet specified type 1, we use type 0
*Aug  2 17:39:14.647: OSPF-1 ADJ   Se3/1: 30.30.30.1 address 192.168.23.3 is dead
*Aug  2 17:39:14.647: OSPF-1 ADJ   Se3/1: 30.30.30.1 address 192.168.23.3 is dead, state DOWN
*Aug  2 17:39:14.651: %OSPF-5-ADJCHG: Process 1, Nbr 30.30.30.1 on Serial3/1 from FULL to DOWN, Neighbor Down: Dead timer expired
*Aug  2 17:39:20.771: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:10.10.13.1 aid:0.0.0.0 chk:AD79 aut:1 auk: from Serial3/0
*Aug  2 17:39:21.643: OSPF-1 ADJ   Se3/1: Rcv pkt from 192.168.23.3 : Mismatched Authentication type. Input packet specified type 1, we use type 0
*Aug  2 17:39:22.727: OSPF-1 PAK  : rcv. v:2 t:5 l:44 rid:10.10.13.1 aid:0.0.0.0 chk:8506 aut:1 auk: from Serial3/0
*Aug  2 17:39:29.823: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:10.10.13.1 aid:0.0.0.0 chk:AD79 aut:1 auk: from Serial3/0
*Aug  2 17:39:31.419: OSPF-1 ADJ   Se3/1: Rcv pkt from 192.168.23.3 : Mismatched Authentication type. Input packet specified type 1, we use type 0

Let me enabled MD5 authentications on MELBOURNE links towards SINGAPORE router.
 
MELBOURNE(config)#int s3
MELBOURNE(config-if)#ip ospf authentication message-digest
MELBOURNE(config-if)#ip ospf message-digest-key 100 md5 P@ssw0rd

 Upon checking on SINGAPORE, adjacency were formed,


SINGAPORE#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
20.20.20.1        0   FULL/  –        00:00:35    192.168.23.2    Serial3/1
SINGAPORE#

But what does the logs on MELBOURNE router is telling us upon enabling the MD5 authentications. As we can see below, the Authentication have changed to AUT:2 which means that It’s using MD5 already.

MELBOURNE#
*Aug  2 17:55:15.319: OSPF-1 ADJ   Se3/1: Send with youngest Key 100
*Aug  2 17:55:18.459: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:30.30.30.1 aid:0.0.0.2 chk:0 aut:2 keyid:100 seq:0x57A0DD4B from Serial3/1


 SINGAPORE(config-if)#
*Aug  2 17:56:12.211: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:100 seq:0x57A0DD7E from Serial3/1

                                             Take note of the below configurations requirements for MD5
  

Finally, since I have the complete routing table on SINGAPORE  router upon building the correct OSPF authentications, I should be able to connect to MANILA networks.

SINGAPORE#show ip route ospf
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
       D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
       N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
       E1 – OSPF external type 1, E2 – OSPF external type 2
       i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
       ia – IS-IS inter area, * – candidate default, U – per-user static route
       o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
       + – replicated route, % – next hop override

Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 4 subnets
O IA     10.10.10.1 [110/129] via 192.168.23.2, 00:03:06, Serial3/1
O IA     10.10.11.1 [110/129] via 192.168.23.2, 00:03:06, Serial3/1
O IA     10.10.12.1 [110/129] via 192.168.23.2, 00:03:06, Serial3/1
O IA     10.10.13.1 [110/129] via 192.168.23.2, 00:03:06, Serial3/1
      20.0.0.0/32 is subnetted, 1 subnets
O IA     20.20.20.1 [110/65] via 192.168.23.2, 00:14:14, Serial3/1
      100.0.0.0/32 is subnetted, 1 subnets
O IA     100.100.100.1 [110/129] via 192.168.23.2, 00:03:06, Serial3/1
O IA  192.168.12.0/24 [110/128] via 192.168.23.2, 00:14:14, Serial3/1

SINGAPORE#ping 10.10.10.1 source 30.30.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 30.30.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/105/120 ms

SINGAPORE#ping 10.10.11.1 source 30.30.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.11.1, timeout is 2 seconds:
Packet sent with a source address of 30.30.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/92/116 ms

SINGAPORE#ping 10.10.12.1 source 30.30.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.12.1, timeout is 2 seconds:
Packet sent with a source address of 30.30.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/104/120 ms

SINGAPORE#ping 10.10.13.1 source 30.30.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.13.1, timeout is 2 seconds:
Packet sent with a source address of 30.30.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/98/116 ms
SINGAPORE#

Here ends my laboratory in OSPF Authentications. My next post will be to have another method of authenticating OSPF neighbors.   Thanks for reading!

Leave a comment

Previous Post
Next Post

Recent posts

Quote of the week

"People ask me what I do in the winter when there's no baseball. I'll tell you what I do. I stare out the window and wait for spring."

~ Rogers Hornsby

NETWORK LESSON

About

Passionate about simplifying the complex world of networking and automation for learners everywhere.”.

Topics

Follow Us

Create a website or blog at WordPress.com