Asante Technologies 40240/40480-10G 20-27,

When using simple password authentication, a password is included in the packet.

If it does not match the password configured on the rece ivi ng router, the pac ket is

discarded. This method provides very little secu rity as it is possib le to learn the

authentication key by snooping on routing protocol packets.

When using Message-Digest 5 (MD5) authentication, the router uses the MD5

algorithm to verify data integrity by creating a 128-bit m essage d igest from the

authentication key. Without the proper key and k ey-id, it is n early impossib le to

produce any message that matches the prespecified target messa ge dige st.

Before specifying MD5 authentication, configure the message-digest key-i d and

key (see Message Digest Key-id).

The Authentication Key and Message Digest Key-id must be used consistently

throughout the autonomous system. (Note that the Message Dige st Key-id field is

enabled only when MD5 authentication type is selected.)

• Authentication Key – Assign a plain-text passwor d used by ne ighbori ng routers

to verify the authenticity of routing protocol messages. (Range : 1-8 cha racters for

simple password or 1-16 characters for MD5 authentication; Default: no key)

When plain-text or Message-Digest 5 (MD5) authentication is enabled as

described in the preceding item, this password (key) is in serted into the OSPF

header when routing protocol packets are originated by this device.

A different password can be assigned to each network interface, b ut the p ass wor d

must be used consistently on all neighboring routers throughout a network (that is,

autonomous system). All neighboring routers in the same network with the same

password will exchange routing data.

• Message Digest Key-id – Assigns a key-id used in conjunction wit h the

authentication key to verify the authenticity of routing protoc ol message s sent to

neighboring routers. (Range: 1-255; Default: none)

Normally, only one key is used per interface to generate authentication information

for outbound packets and to authenticate incoming packets. Neighbor routers must

use the same key identifier and key value.

When changing to a new key, the router will sen d multiple copies of all protocol

messages, one with the old key and another with the new key. On ce all the

neighboring routers start sending protocol message s back to thi s router w ith the

new key, the router will stop using the old key. This rollo ver proce ss gives the

network administrator time to update all the routers on the network without

affecting the network connectivity. Once all the network routers have been updated

with the new key, the old key should be removed for security reas ons.

20-27

Configuring the Open Shortest Path First Protocol