OSPF HMAC-SHA Extended Authentication

This topic is to discuss the following lesson:

R1(config)#router ospf 1
R1(config-router)#network 192.168.12.1 255.255.255.0 area 0
  • netmask instead of wild card?

Hi Arun,

That’s an error yes, thanks for reporting it. I just fixed it.

Rene

Hello Rene,

It looks like there is also fat finger issue. See below :slight_smile:

R2(config)#router ospf 1
R2(config-router)#network 192.168.12.1 0.0.0.255 area 0

That is a typo yes, I’ll fix it. Thanks!

Rene

1 Like

Hello Azat

Yes, that should be 192.168.12.2 and not .1. However, the OSPF process will interpret this as the network address of 192.168.12.0 because of the wildcard mask. If you look at the config after this command, you will indeed see the following:

network 192.168.12.0 0.0.0.255 area 0

But for completeness, I will let Rene know to clarify the command.

I hope this has been helpful!

Laz

Hello Rene,
I really enjoy this contents. And those are really easy to grasp. Also I appreciate your hard work that you put on this.
I have a little question. Can you explain a bit what is actually key chain is . I’m bit confused with the purpose of it. If you don’t mind

Thank you
Sasindu

Hello Sasindu

Great to hear that you find the content helpful! That’s always great to hear. We do our best!

A key chain is simply a data structure that is used within a Cisco router to help manage multiple passwords, which in keychain lingo are called keys. They are also sometimes called shared secrets. These keys are then used to enable secure communication with other devices that also support key-based authentication.

The data structure allows you to create a keychain, and on that keychain, you can create keys with IDs between 0 and 65535. Each key can then be configured with a key-string which is the password itself. Under the configuration of the key, you can add many more parameters such as cryptographic algorithms and lifetime durations.

Features that use key-based authentication include OSPF, EIGRP, BGP, and RIP.

You can find out more info at the following Cisco documentation.
https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-0/security/configuration/guide/sc40crsbook_chapter5.html

I hope this has been helpful!

Laz

HI! Lazaros
Thanks for your reply. it’s helps a lot.

1 Like

Hi Rane , Please help the OSPFv2/ISIS HMAC-SHA-1 or HMAC-SHA-256 configuration for Cisco IOS XRv Series Software, Version 7.1.1.01 Routers. what ever you discussed in the chapter that is Cisco IOS routers .
For Cisco IOS XRv Series this Interface level key chain ip ospf authentication key-chain R1 configuration command is not available. please help on this.

key chain R1
 key 1
 key-string R1_Password
 cryptographic-algorithm HMAC-SHA-256
 accept-lifetime 01:01:01 Sep 21 2023 infinite
 send-lifetime 01:01:01 Sep 21 2023 infinite
 commit

<<<< ip ospf authentication key-chain R1 <<<this config not available in the Cisco IOS XRv Series routers. Please help on this.

R1(Config)#interface gigabitEthernet 0/0/0/2
R1(config-if)#ipv4 ? 
  access-group        Specify access control for packets
  address             Set the IPv4 address of an interface
  bgp                 Enable BGP policy based feature
  directed-broadcast  Enable forwarding of directed broadcasts
  forwarding-enable   enable ipv4 forwarding on a interface
  helper-address      Specify a destination address for UDP broadcasts
  mask-reply          Enable sending ICMP mask reply messages
  mtu                 Set IPv4 Maximum Transmission Unit
  point-to-point      Enable point-to-point handling for this interface.
  redirects           Enable sending ICMP Redirect messages
  tcp-mss-adjust      Enable tcp mss adjust for this interface.
  ttl-propagate       Disable ip ttl propagation for this interface.
  unnumbered          Enable IPv4 processing without an explicit address
  unreachables        Enable sending ICMP Unreachable messages
  verify              Enable per packet validation

Thanks,
Rajasekhar.

Hello Rajasekhar

Looking at some of the Cisco documentation on the subject, I see that the configuration process has changed slightly for IOS XR. The authentication is applied like so:

First, you need to define the key-chain:

key chain R1
 key 1
  key-string R1_Password
  cryptographic-algorithm hmac-sha-256
 commit

Then, you need to apply this key-chain to the OSPF area:

router ospf 1
 area 0
  authentication keychain R1
  interface GigabitEthernet0/0/0/2
 commit

This authentication command can be applied at the interface or the router ospf configuration mode. More information about the command can be found here:

I hope this has been helpful!

Laz