Configuring Authentication for OSPFv2
All OSPFv2 protocol exchanges can be authenticated to guarantee that only trusted routers participate in the autonomous system’s routing. By default, OSPFv2 authentication is disabled. Junos OS supports MD5 and simple authentication, and in Junos OS Release 8.3 and later, IPsec authentication. You can configure IPsec authentication for the OSPFv2 interface, the remote endpoint of a sham link, and the OSPFv2 virtual link.
 | Note: You can configure IPsec authentication together with either MD5 or simple authentication. |
- To enable IPsec authentication for an OSPFv2 interface, include the ipsec-sa name statement for a specific interface:
- To enable IPsec authentication for a remote sham link,
include the ispec-sa name statement
for the remote end point of the sham link:sham-link-remote address ipsec-sa name;
Note: If a Layer 3 VPN configuration has multiple sham links with the same remote endpoint IP address, you must configure the same IPsec security association for all the remote endpoints. You configure a Layer 3 VPN at the [edit routing-instances routing-instance-name instance-type] hierarchy level. For more information about Layer 3 VPNs, see the Junos VPNs Configuration Guide.
- To enable IPsec authentication for a virtual link, include
the ipsec-sa name statement for a specific
virtual link:virtual-link neighbor-id router-id transit-area area-id ipsec-sa name;
For a list of hierarchy levels at which you can include these statements, see the statement summary sections for these statements.
You specify the IPsec authentication name by including the ipsec-sa name statement where name is the name of the IPsec security association. You configure the actual IPsec authentication separately. Only manual security associations (SAs) are supported for OSPFv2 authentication using IPsec. Dynamic IKE SAs are not supported. For more information about IPsec, see the Junos System Basics Configuration Guide, the Junos Services Interfaces Configuration Guide, and the Junos Feature Guide.
The following restrictions also apply to IPsec authentication for OSPFv2:
- Only IPsec transport mode is supported. Tunnel mode is not supported.
- Because only bidirectional manual SAs are supported, all OSPFv2 peers must be configured with the same IPsec SA. You configure a manual bidirectional SA at the [edit security ipsec] hierarchy level.
- You must also configure the same IPsec SA for all virtual links with the same remote endpoint address, for all neighbors on OSPF nonbroadcast multiaccess (NBMA) or point-to-multipoint (P2MP) links, and for every subnet that is part of a broadcast link.
- OSPFv2 peer interfaces are not supported.
Simple authentication uses a text password that is included in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet.
The MD5 algorithm creates an encoded checksum that is included in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet.
For MD5 authentication to work, both the receiving and transmitting routers must have the same MD5 key. Define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds; otherwise, updates are rejected. The key ID can be set to any value between 0 and 255, with a default value of 0. The router only accepts OSPFv2 packets sent using the same key ID that is defined for that interface.
To enable authentication and specify an authentication method as well as a key (password) for an OSPF interface or virtual link, include the authentication statement and either a single simple-password statement or one or more md5 statements:
For a list of hierarchy levels at which you can include these statements, see the statement summary sections for these statements.
A simple password and MD5 key are mutually exclusive. You can configure only one simple password but configure multiple MD5 keys.
The simple key (password) can be from 1 through 8 characters long. Each MD5 key is identified by a key identifier. The MD5 key value can be from 1 through 16 characters long. Characters can include ASCII strings. If you include spaces, enclose all characters in quotation marks (“ ”).
As part of your security measures, you can change MD5 keys. You can do this by configuring multiple MD5 keys, each with a unique key ID, and setting the date and time to switch to the new key. Each unique MD5 key has a unique ID. The ID is used by the receiver of the OSPF packet to determine which key to use for authentication. The key identifier, which is required for MD5 authentication, specifies the identifier associated with the MD5 key.
The start time specifies when to start using the MD5 key. This is optional. The start-time option enables you to configure a smooth transition mechanism for multiple keys. The start time is relevant for transmission but not for receiving OSPF packets.
See the following sections:
Example: Configuring IPsec Authentication for an OSPFv2 Interface
Configure IPsec authentication for OSPFv2 interface so-0/2/0.0. Include the name of the manual SA sa1 that you configure at the [edit security ipsec] hierarchy level.
Example: Configuring a Transition of MD5 Keys
Configure new keys to take effect at 12:01 AM on the first day of the next three months:
Set the same passwords and transition dates and times on all the routers in the area so that OSPF adjacencies remain active.
Example: Configuring MD5 Authentication
Configure MD5 authentication for OSPF:
# SECRET-DATAmd5 2 key "$9$DJHkP5T3/A0Uj6A0Irl"; # SECRET-DATA}}reference-bandwidth 4g;traceoptions {file ospf size 5m world-readable;flag error;}}
