Filter
Top Products
Implementing OSPF on Cisco IOS XR Software
Information About Implementing OSPF on Cisco IOS XR Software
RC-193
Cisco IOS XR Routing Configuration Guide
OL-14356-01
OSPF Authentication Message Digest Management
All OSPF routing protocol exchanges are authenticated and the method used can vary depending on how
authentication is configured. When using cryptographic authentication, the OSPF routing protocol uses
the Message Digest 5 (MD5) authentication algorithm to authenticate packets transmitted between
neighbors in the network. For each OSPF protocol packet, a key is used to generate and verify a message
digest that is appended to the end of the OSPF packet. The message digest is a one-way function of the
OSPF protocol packet and the secret key. Each key is identified by the combination of interface used and
the key identification. An interface may have multiple keys active at any time.
To manage the rollover of keys and enhance MD5 authentication for OSPF, you can configure a container
of keys called a keychain with each key comprising the following attributes: generate/accept time, key
identification, and authentication algorithm.
GTSM TTL Security Mechanism for OSPF
OSPF is a link state protocol that requires networking devices to detect topological changes in the
network, flood Link State Advertisement (LSA) updates to neighbors, and quickly converge on a new
view of the topology. However, during the act of receiving LSAs from neighbors, network attacks can
occur, because there are no checks that unicast or multicast packets are originating from a neighbor that
is one hop away or multiple hops away over virtual links.
For virtual links, OSPF packets travel multiple hops across the network; hence, the TTL value can be
decremented several times. For these type of links, a minimum TTL value must be allowed and accepted
for multiple-hop packets.
To filter network attacks originating from invalid sources traveling over multiple hops, the Generalized
TTL Security Mechanism (GTSM), RFC 3682, is used to prevent the attacks. GTSM filters link-local
addresses and allows for only one-hop neighbor adjacencies through the configuration of TTL value 255.
The TTL value in the IP header is set to when OSPF packets are originated and checked on the received
OSPF packets against the default GTSM TTL value 255 or the user configured GTSM TTL value,
blocking unauthorized OSPF packets originated from TTL hops away.
Path Computation Element for OSPFv2
A PCE is an entity (component, application, or network node) that is capable of computing a network
path or route based on a network graph and applying computational constraints.
PCE is accomplished when a PCE address and client is configured for MPLS-TE. PCE communicates
its PCE address and capabilities to OSPF then OSPF packages this information in the PCE Discovery
type-length-value (TLV) (Type 2) and re originates the RI LSA. OSPF also includes the Router
Capabilities TLV (Type 1) in all its RI LSAs. The PCE Discovery TLV contains the PCE address
sub-TLV (Type 1) and the Path Scope Sub-TLV (Type 2).
The PCE Address Sub-TLV specifies the IP address that must be used to reach the PCE. It should be a
loop-back address that is always reachable, this TLV is mandatory, and must be present within the PCE
Discovery TLV. The Path Scope Sub-TLV indicates the PCE path computation scopes, which refers to
the PCE ability to compute or participate in the computation of intra-area, inter-area, inter-AS or
inter-layer TE LSPs.
PCE extensions to OSPFv2 include support for the Router Information Link State Advertisement
(RI LSA). OSPFv2 is extended to receive all area scopes (LSA Types 9, 10, and 11). However, OSPFv2
originates only area scope Type 10.