OSPF HMAC-SHA Extended Authentication

ReneMolenaar · July 19, 2017, 10:06am

This topic is to discuss the following lesson:

macgupta123 · November 24, 2018, 5:28am

R1(config)#router ospf 1
R1(config-router)#network 192.168.12.1 255.255.255.0 area 0

netmask instead of wild card?

ReneMolenaar · November 28, 2018, 2:08pm

Hi Arun,

That’s an error yes, thanks for reporting it. I just fixed it.

Rene

a-jumayev · November 17, 2020, 5:14pm

Hello Rene,

It looks like there is also fat finger issue. See below

R2(config)#router ospf 1
R2(config-router)#network 192.168.12.1 0.0.0.255 area 0

ReneMolenaar · November 18, 2020, 11:31am

That is a typo yes, I’ll fix it. Thanks!

Rene

lagapidis · November 19, 2020, 7:54am

Hello Azat

Yes, that should be 192.168.12.2 and not .1. However, the OSPF process will interpret this as the network address of 192.168.12.0 because of the wildcard mask. If you look at the config after this command, you will indeed see the following:

network 192.168.12.0 0.0.0.255 area 0

But for completeness, I will let Rene know to clarify the command.

I hope this has been helpful!

Laz

sasindujaya123 · February 1, 2022, 2:58pm

Hello Rene,
I really enjoy this contents. And those are really easy to grasp. Also I appreciate your hard work that you put on this.
I have a little question. Can you explain a bit what is actually key chain is . I’m bit confused with the purpose of it. If you don’t mind

Thank you
Sasindu

lagapidis · February 3, 2022, 11:10am

Hello Sasindu

Great to hear that you find the content helpful! That’s always great to hear. We do our best!

A key chain is simply a data structure that is used within a Cisco router to help manage multiple passwords, which in keychain lingo are called keys. They are also sometimes called shared secrets. These keys are then used to enable secure communication with other devices that also support key-based authentication.

The data structure allows you to create a keychain, and on that keychain, you can create keys with IDs between 0 and 65535. Each key can then be configured with a key-string which is the password itself. Under the configuration of the key, you can add many more parameters such as cryptographic algorithms and lifetime durations.

Features that use key-based authentication include OSPF, EIGRP, BGP, and RIP.

You can find out more info at the following Cisco documentation.

I hope this has been helpful!

Laz

sasindujaya123 · February 4, 2022, 5:52am

HI! Lazaros
Thanks for your reply. it’s helps a lot.

rajamsekhar17 · September 22, 2023, 3:59pm

Hi Rane , Please help the OSPFv2/ISIS HMAC-SHA-1 or HMAC-SHA-256 configuration for Cisco IOS XRv Series Software, Version 7.1.1.01 Routers. what ever you discussed in the chapter that is Cisco IOS routers .
For Cisco IOS XRv Series this Interface level key chain ip ospf authentication key-chain R1 configuration command is not available. please help on this.

key chain R1
 key 1
 key-string R1_Password
 cryptographic-algorithm HMAC-SHA-256
 accept-lifetime 01:01:01 Sep 21 2023 infinite
 send-lifetime 01:01:01 Sep 21 2023 infinite
 commit

<<<< ip ospf authentication key-chain R1 <<<this config not available in the Cisco IOS XRv Series routers. Please help on this.

R1(Config)#interface gigabitEthernet 0/0/0/2
R1(config-if)#ipv4 ? 
  access-group        Specify access control for packets
  address             Set the IPv4 address of an interface
  bgp                 Enable BGP policy based feature
  directed-broadcast  Enable forwarding of directed broadcasts
  forwarding-enable   enable ipv4 forwarding on a interface
  helper-address      Specify a destination address for UDP broadcasts
  mask-reply          Enable sending ICMP mask reply messages
  mtu                 Set IPv4 Maximum Transmission Unit
  point-to-point      Enable point-to-point handling for this interface.
  redirects           Enable sending ICMP Redirect messages
  tcp-mss-adjust      Enable tcp mss adjust for this interface.
  ttl-propagate       Disable ip ttl propagation for this interface.
  unnumbered          Enable IPv4 processing without an explicit address
  unreachables        Enable sending ICMP Unreachable messages
  verify              Enable per packet validation

Thanks,
Rajasekhar.

lagapidis · September 26, 2023, 5:47am

Hello Rajasekhar

Looking at some of the Cisco documentation on the subject, I see that the configuration process has changed slightly for IOS XR. The authentication is applied like so:

First, you need to define the key-chain:

key chain R1
 key 1
  key-string R1_Password
  cryptographic-algorithm hmac-sha-256
 commit

Then, you need to apply this key-chain to the OSPF area:

router ospf 1
 area 0
  authentication keychain R1
  interface GigabitEthernet0/0/0/2
 commit

This authentication command can be applied at the interface or the router ospf configuration mode. More information about the command can be found here:

I hope this has been helpful!

Laz

davidilles · December 14, 2025, 10:14am

Hello, everyone

I haven’t found much documentation regarding this but if I configure authentication via a key chain on XR, such as:

RP/0/RP0/CPU0:R2-XR(config-ospf-ar-if)#do show key chain
Sun Dec 14 10:12:45.823 UTC

Key-chain: CISCO -

  timezone -- local
  Key 1 -- text "01302F377824"
    Cryptographic-Algorithm -- HMAC_SHA_256
    Send lifetime -- Not configured
    Accept lifetime -- Not configured

RP/0/RP0/CPU0:R2-XR(config-ospf-ar-if)#


RP/0/RP0/CPU0:R2-XR(config-ospf-ar-if)#do show run router ospf
Sun Dec 14 10:13:05.081 UTC
router ospf 110
router-id 2.2.2.2
area 0
interface GigabitEthernet0/0/0/1
!
!
area 51
authentication keychain CISCO
nssa no-summary

On XR, the send and accept lifetimes aren’t enabled by default? Because my router just stopped sending hellos until I configured those. If I do the same on XE,

R5(config-if)#do show key chain
Key-chain CISCO:
key 1 – text “CISCO”
cryptographic-algorithm: hmac-sha-256
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R5(config-if)#

The key sending and accepting is pretty much enabled by default and is always valid. Is this normal or just a CML thing?

Thank you
David

lagapidis · December 15, 2025, 6:09am

Hello David

In IOS-XR, any key that is configured without a lifetime is considered invalid. (See this Cisco documentation). And when you create a key chain such as the one you shared, if you don’t explicitly configure a lifetime, it remains “Not configured” as in your output.

No they’re not. This is just one more small but significant design approach of XR (where correctness of operation and uptime are of utmost importance) that makes you explicitly configure them. There is no default value, and if you don’t configure them, the key will simply not work. This requires you to be more intentional about your configuration, something that’s important for the kinds of networks that IOS-XR supports.

IOS-XE is indeed different in that when the default lifetime of “always” is applied, it is simply always valid. This is a more appropriate approach for branch office and enterprise networks, but not for service provider networks. So this is really just a design difference, based on the role that these devices play in their respective environments.

I hope this has been helpful!

Laz

davidilles · December 15, 2025, 9:22am

Hello Laz

Thank you very much!

David