OSPF v2 security

Security problems could lead to DoS if falsified routing information is exchanged between routers.

The Virtual Service Router OSPF v2 implementation supports two kinds of authentication, simple password authentication and the more secure cryptographic authentication.

OSPF authentication is described in RFC 2328#appendix-D, and extended in RFC 5709.

Note

If simple password authentication is chosen, then passwords must be the same between neighbors. If cryptographic authentication is used, each node may sign its OSPF messages with a different key, its neighbors must just be able to verify the message digest.

OSPF authentication configuration

By default, OSPF authentication is disabled.

The OSPF authentication parameters are defined at the interface level.

The ip ospf authentication command enables to set the authentication policy on an interface. If unset or set to null, authentication is disabled.

The type of authentication is selected via the ip ospf authentication command, the passwords or keys are defined via additional commands.

Configuring simple password authentication

The OSPF simple password authentication method includes an authentication-key in the OSPF messages in their header 64-bit authentication field, as a clear 64-bit password.

Simple password authentication guards against routers inadvertently joining the routing domain.

For each interface, set the authentication policy to simple and specify an authentication key:

vsr running config# / vrf main routing interface eth1 ip ospf authentication simple
vsr running config# / vrf main routing interface eth1 ip ospf authentication-key secret$$

Configuring cryptographic authentication

The cryptographic authentication method appends a key identifier, a sequence number and a message digest to the end of the OSPF packets. The message digest is a one-way function of the OSPF protocol packet and a secret key.

First define a key chain in the global / routing context, shared by all routing protocols in all VRFs:

vsr running config# / routing key-chain keychain2 key 3 cryptographic-algorithm hmac-sha256
vsr running config#! / routing key-chain keychain2 key 3 secret K{yp@ss3/&#*314
vsr running config# / routing key-chain keychain2 key 3 accept-lifetime start 2025-02-01@12:42:00
vsr running config# / routing key-chain keychain2 key 3 accept-lifetime end 2025-06-30@23:59:59
vsr running config# / routing key-chain keychain2 key 3 send-lifetime start 2025-02-02@00:00:00
vsr running config# / routing key-chain keychain2 key 3 send-lifetime end 2025-06-29@23:59:59
vsr running config# / routing key-chain keychain2 key 5 cryptographic-algorithm hmac-sha256
vsr running config#! / routing key-chain keychain2 key 5 secret K{yp@ss5/&#*<42>
vsr running config# / routing key-chain keychain2 key 5 accept-lifetime start 2025-02-01@00:00:00
vsr running config# / routing key-chain keychain2 key 5 send-lifetime start 2025-02-02@00:00:00

For each interface, set the authentication policy to message-digest and reference the key chain:

vsr running config# / vrf main routing interface eth1 ip ospf authentication message-digest
vsr running config# / vrf main routing interface eth1 ip ospf authentication-key-chain keychain2

Note

accept-lifetime and send-lifetime are optional.

OSPF v2 supports 8 bit key IDs ranging from 0 to 255.

Disabling OSPF authentication

Simply delete the authentication at the interface level.

Remove OSPF authentication on the interface:

vsr running config# del / vrf main routing interface eth1 ip ospf authentication

alternatively, you can set the authentication method to null:

vsr running config# / vrf main routing interface eth1 ip ospf authentication null

Filtering OSPF

Like for BGP protocol, it is possible to apply filtering thanks to route map. Below example illustrates what can be done by using Prefix List. OSPF will be configured to redistribute BGP entries, however some filtering will be applied.

1. Specify the prefix-list and route-map:

vrf main
  routing
    ipv4-prefix-list plist
      seq 1 address 10.100.0.0/24 policy permit
      seq 2 address 10.200.0.0/24 policy deny
      seq 3 address 10.150.0.0/24 policy permit
      ..
    route-map rmap seq 1 plicy permit
    route-map rmap seq 1 match ip address prefix-list plist
    ..

1. Configuration of a BGP instance that peers with remote located outside of OSPF area.

vrf main
  routing bgp
    as 55
    router-id 1.1.1.1
    neighbor 10.110.0.10 remote-as 55
    ..
    ..

Subsequently, some BGP routing entries will be learnt from remote.

rt1> show bgp ipv4 unicast
BGP table version is 9, local router ID is 1.1.1.1, vrf id 0
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i10.100.0.0/24    10.110.0.10               0    100      0 i
*>i10.150.0.0/24    10.110.0.10               0    100      0 i
*>i10.200.0.0/24    10.110.0.10               0    100      0 i

Displayed  3 routes and 3 total paths

1. Configure the route redistribution with the route-map filtering:

vrf main
   routing ospf
      redistribute bgp route-map rmap

Subsequently, the rt1 device has imported filtered BGP route entries.

rt1> show ospf database default

   OSPF Router with ID (1.1.1.1)

            Router Link States (Area 0.0.0.0)

 Link ID         ADV Router      Age  Seq#       CkSum  Link count
 1.1.1.1         1.1.1.1          127 0x80000004 0xbf9a 1

            AS External Link States

 Link ID         ADV Router      Age  Seq#       CkSum  Route
 10.100.0.0      1.1.1.1          630 0x80000001 0xc2ff E2 10.100.0.0/24 [0x0]
 10.150.0.0      1.1.1.1          621 0x80000001 0x6828 E2 10.150.0.0/24 [0x0]