Asante Technologies 40240/40480-10G Switch User Manual


 
When using simple password authentication, a password is included in the packet.
If it does not match the password configured on the receiving router, the packet is
discarded. This method provides very little security as it is possible to learn the
authentication key by snooping on routing protocol packets.
When using Message-Digest 5 (MD5) authentication, the router uses the MD5
algorithm to verify data integrity by creating a 128-bit message digest from the
authentication key. Without the proper key and key-id, it is nearly impossible to
produce any message that matches the prespecified target message digest.
Before specifying MD5 authentication, configure the message-digest key-id and
key (see Message Digest Key-id).
The Authentication Key and Message Digest Key-id must be used consistently
throughout the autonomous system. (Note that the Message Digest Key-id field is
enabled only when MD5 authentication type is selected.)
Authentication Key – Assign a plain-text password used by neighboring routers
to verify the authenticity of routing protocol messages. (Range: 1-8 characters for
simple password or 1-16 characters for MD5 authentication; Default: no key)
When plain-text or Message-Digest 5 (MD5) authentication is enabled as
described in the preceding item, this password (key) is inserted into the OSPF
header when routing protocol packets are originated by this device.
A different password can be assigned to each network interface, but the password
must be used consistently on all neighboring routers throughout a network (that is,
autonomous system). All neighboring routers in the same network with the same
password will exchange routing data.
Message Digest Key-id – Assigns a key-id used in conjunction with the
authentication key to verify the authenticity of routing protocol messages sent to
neighboring routers. (Range: 1-255; Default: none)
Normally, only one key is used per interface to generate authentication information
for outbound packets and to authenticate incoming packets. Neighbor routers must
use the same key identifier and key value.
When changing to a new key, the router will send multiple copies of all protocol
messages, one with the old key and another with the new key. Once all the
neighboring routers start sending protocol messages back to this router with the
new key, the router will stop using the old key. This rollover process gives the
network administrator time to update all the routers on the network without
affecting the network connectivity. Once all the network routers have been updated
with the new key, the old key should be removed for security reasons.
20-27
Configuring the Open Shortest Path First Protocol
20