Just to recap a bit, for Plain Text Authentications – I have the following important configuration steps under the OSPF Interface.
  
             – ip ospf authentications
            – ip ospf authentications -key

For the MD5 Authentications,  below are the configurations required under OSPF interfaces,

            – ip ospf authentications message-digest
            – ip ospf message-digest key md5

On this post, I will be setting up another method of OSPF Authentications. For this method, We need to set up the Key and password on the OSPF Interface but we have to globally enabled the Authentications under the OSPF process and we can select to which OSPF Areas we can apply.

 I will be using the same topology which I used for the first method of OSPF Authentications.

 

 Here will be my laboratory objectives:


1. Established MD5 Authentications between MELBOURNE & SINGAPORE router.

2. Established Plain text authentications between MANILA and MELBOURNE router.


 Here are my router configurations:


MELBOURNE#sh run int s3/1
Building configuration…

interface Serial3/1
 ip address 192.168.23.2 255.255.255.0
 ip ospf message-digest-key 1 md5 P@ssw0rd123 <<< For MD5 Authentications, character is limited to maximum of 16.
 serial restart-delay 0
end

MELBOURNE#sh run int s3/0

!
interface Serial3/0
 ip address 192.168.12.2 255.255.255.0
 ip ospf authentication-key P@ssw0rd    <<<< For Plain text Authentications, Characters are limited to 8.
 serial restart-delay 0
 MELBOURNE#sh run | sec ospf
 router ospf 1
area 0 authentication     <<< This my plain text authentications
 area 2 authentication message-digest     <<< This is my MD5 Authentications
 network 20.20.20.0 0.0.0.255 area 0
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 2
 

SINGAPORE#sh run int s3/1
Building configuration…
!
interface Serial3/1
 ip address 192.168.23.3 255.255.255.0
 ip ospf message-digest-key 1 md5 P@ssw0rd123
 serial restart-delay 0
end

SINGAPORE#sh run | sec ospf
router ospf 1
 area 2 authentication message-digest
 network 0.0.0.0 255.255.255.255 area 2
SINGAPORE#
 
 MANILA#sh run int s3/0

MANILA#sh run | sec ospf
router ospf 1
 area 0 authentication
 network 192.168.12.0 0.0.0.255 area 0
 network 0.0.0.0 255.255.255.255 area 1
MANILA# 

Verifications:

Let’s check the adjacency from MELBOURNE router,
 
 MELBOURNE#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.13.1        0   FULL/  –        00:00:39    192.168.12.1    Serial3/0
30.30.30.1        0   FULL/  –        00:00:35    192.168.23.3    Serial3/1
MELBOURNE#

 I’m gonna play around with the MD5 authentications by adding additional Key and new passwords and let’s see what gonna happen. I will be enabling “debug ip ospf packet” in SINGAPORE router and make the initial configurations on MELBOURNE router.



SINGAPORE#debug ip ospf packet
OSPF packet debugging is on
SINGAPORE#
*Aug  3 15:08:00.571: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A                               207BB from Serial3/1
*Aug  3 15:08:10.155: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A                               207C4 from Serial3/1
*Aug  3 15:08:19.267: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A 


Observations:

1. We can see from the logs that MD5 authentication is running ( because of the code AUT:2)
2. The key is also Keyid:1 which means that the Configured KEY for the MD5 is 1.

Now, the moment I have created another MD5 Key and Password on the MELBOURNE and SINGAPORE Router, the new “KEY”  will be used.


 MELBOURNE(config)#int s3/1
MELBOURNE(config-if)#ip ospf message-digest-key 10 md5 MYCCIELAB@12345
 SINGAPORE#sh run int s3/1

interface Serial3/1
 ip address 192.168.23.3 255.255.255.0
 ip ospf message-digest-key 1 md5 P@ssw0rd123
 ip ospf message-digest-key 10 md5 MYCCIELAB@12345
 serial restart-delay 0
end



SINGAPORE#
*Aug  3 15:21:07.099: OSPF-1 PAK  : rcv. v:2 t:3 l:36 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20ABB from Serial3/1
*Aug  3 15:21:07.103: OSPF-1 PAK  : rcv. v:2 t:2 l:32 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20ABB from Serial3/1
*Aug  3 15:21:07.239: OSPF-1 PAK  : rcv. v:2 t:4 l:64 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20ABB from Serial3/1
*Aug  3 15:21:07.247: %OSPF-5-ADJCHG: Process 1, Nbr 20.20.20.1 on Serial3/1 from LOADING to FULL, Loading Done
*Aug  3 15:21:07.747: OSPF-1 PAK  : rcv. v:2 t:4 l:76 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20ABB from Serial3/1
*Aug  3 15:21:09.735: OSPF-1 PAK  : rcv. v:2 t:5 l:64 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:10 seq:0x57A20ABD from Serial3/1
*Aug  3 15:21:16.499: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:10 seq:0x57A20AC4 from Serial3/1

 MELBOURNE(config-if)#ip ospf message-digest-key 10 md5 MYCCIELAB@12345
*Aug  3 15:21:06.795: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:30.30.30.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20AB9 from Serial3/1
*Aug  3 15:21:06.927: OSPF-1 PAK  : rcv. v:2 t:2 l:32 rid:30.30.30.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20ABA from Serial3/1
*Aug  3 15:21:07.047: OSPF-1 PAK  : rcv. v:2 t:2 l:192 rid:30.30.30.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20ABA from Serial3/1
*Aug  3 15:21:07.191: OSPF-1 PAK  : rcv. v:2 t:4 l:76 rid:30.30.30.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20ABA from Serial3/1
*Aug  3 15:21:07.195: OSPF-1 PAK  : rcv. v:2 t:3 l:36 rid:30.30.30.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20ABA from Serial3/1
*Aug  3 15:21:07.203: %OSPF-5-ADJCHG: Process 1, Nbr 30.30.30.1 on Serial3/1 from LOADING to FULL, Loading Done
MELBOURNE(config-if)#
*Aug  3 15:21:07.311: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:10.10.13.1 aid:0.0.0.0 chk:AD79 aut:1 auk: from Serial3/0
*Aug  3 15:21:07.791: OSPF-1 PAK  : rcv. v:2 t:4 l:88 rid:30.30.30.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20ABA from Serial3/1
*Aug  3 15:21:08.391: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:30.30.30.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20ABB from Serial3/1
*Aug  3 15:21:08.395: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:30.30.30.1 aid:0.0.0.2 chk:0 aut:2 keyid:10 seq:0x57A20ABB from Serial3/1

  Observation for both MELBOURNE & SINGAPORE routers:

 – As we can see above, when I have added a new Key and password, what it does OSPF have re-run the OSPF adjacency process ( as we know one of the requirements for OSPF to formed a neighbor is if Authentications is enabled, the Key and Password have to match) but it did not resets the neighbor but it does run from Loading State to FULL State.

 Let me play around one more time by deleting and adding the existing KEY 1.
 
 SINGAPORE#sh run int s3/1
Building configuration…

SINGAPORE#
*Aug  3 15:37:44.359: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:10 seq:0x57A20E89 from Serial3/1
*Aug  3 15:37:53.759: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:10 seq:0x57A20E92 from Serial3/1
SINGAPORE#config t
Enter configuration commands, one per line.  End with CNTL/Z.
SINGAPORE(config)#int s3/1
SINGAPORE(config-if)#no  ip ospf message-digest-key 1 md5 P@ssw0rd123
SINGAPORE(config-if)#

*Aug  3 15:38:12.643: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:10 seq:0x57A20EA4 from Serial3/1   <<<< We can still see here it is using KEY 10.

SINGAPORE(config-if)# ip ospf message-digest-key 1 md5 P@ssw0rd123   << Re-apply back the KEY 1
 
*Aug  3 15:38:21.851: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:10 seq:0x57A20EAD from Serial3/1

 Similarly did the same on MELBOURNE router,


 MELBOURNE#sh run int s3/1
Building configuration…

MELBOURNE#config t
Enter configuration commands, one per line.  End with CNTL/Z.
MELBOURNE(config)#int s3/1
MELBOURNE(config-if)#no  ip ospf message-digest-key 1 md5 P@ssw0rd123
MELBOURNE(config-if)#ip ospf message-digest-key 1 md5 P@ssw0rd123
MELBOURNE(config-if)#^Z


  Looking at logs of SINGAPORE router, it does shows that after I have enabled KEY 1 on MELBOURNE router, the new KEY were used for the OSPF MD5 authentications.

SINGAPORE#
*Aug  3 15:38:30.027: %SYS-5-CONFIG_I: Configured from console by console
*Aug  3 15:38:30.855: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20EB6 from Serial3/1

SINGAPORE#
*Aug  3 15:38:40.623: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20EC0 from Serial3/1
*Aug  3 15:38:50.035: OSPF-1 PAK  : rcv. v:2 t:1 l:48 rid:20.20.20.1 aid:0.0.0.2 chk:0 aut:2 keyid:1 seq:0x57A20EC9 from Serial3/1
SINGAPORE#

Overall Observations and Analysis:

1.  Clear/Plain text OSPF password can only used up to maximum of 8 characters.
2.  MD5 OSPF Authentications can used up to maximum of 16 characters.
3. A new key created will override the existing keys in used for the MD5 OSPF Authentication.
4. OSPF neighbors or adjacency were NOT reset when KEY is change.