Filter
Top Products
Implementing OSPF on Cisco IOS XR Software
Information About Implementing OSPF on Cisco IOS XR Software
RC-180
Cisco IOS XR Routing Configuration Guide
OL-14356-01
• Point-to-multipoint
You can configure your Cisco IOS XR network as either a broadcast or an NBMA network. Using this
feature, you can configure broadcast networks as NBMA networks when, for example, you have routers
in your network that do not support multicast addressing.
Route Authentication Methods for OSPF
OSPF Version 2 supports two types of authentication: plain text authentication and MD5 authentication.
By default, no authentication is enabled (referred to as null authentication in RFC 2178).
OSPV Version 3 supports all types of authentication except key rollover.
Plain Text Authentication
Plain text authentication (also known as Type 1 authentication) uses a password that travels on the
physical medium and is easily visible to someone that does not have access permission and could use the
password to infiltrate a network. Therefore, plain text authentication does not provide security. It might
protect against a faulty implementation of OSPF or a misconfigured OSPF interface trying to send
erroneous OSPF packets.
MD5 Authentication
MD5 authentication provides a means of security. No password travels on the physical medium. Instead,
the router uses MD5 to produce a message digest of the OSPF packet plus the key, which is sent on the
physical medium. Using MD5 authentication prevents a router from accepting unauthorized or
deliberately malicious routing updates, which could compromise your network security by diverting
your traffic.
Note MD5 authentication supports multiple keys, requiring that a key number be associated with a key.
Also see “OSPF Authentication Message Digest Management” section on page RC-193
Authentication Strategies
Authentication can be specified for an entire process or area, or on an interface or a virtual link. An
interface or virtual link can be configured for only one type of authentication, not both. Authentication
configured for an interface or virtual link overrides authentication configured for the area or process.
If you intend for all interfaces in an area to use the same type of authentication, you can configure fewer
commands if you use the authentication command in the area configuration submode (and specify the
message-digest keyword if you want the entire area to use MD5 authentication). This strategy requires
fewer commands than specifying authentication for each interface.
Key Rollover
To support the changing of an MD5 key in an operational network without disrupting OSPF adjacencies
(and hence the topology), a key rollover mechanism is supported. As a network administrator configures
the new key into the multiple networking devices that communicate, some time exists when different
devices are using both a new key and an old key. If an interface is configured with a new key, the software
sends two copies of the same packet, each authenticated by the old key and new key. The software tracks