Specifications

ManualsBrandsCisco ManualsHome building and DecorRouter IOS XR

241

242

243

244

245

246

247

248

249

250

Implementing OSPF on Cisco IOS XR Software

Information About Implementing OSPF on Cisco IOS XR Software

RC-230

Cisco IOS XR Routing Configuration Guide

• Broadcast networks (Gigabit Ethernet)

• Point-to-multipoint

You can configure your Cisco IOS XR network as either a broadcast or an NBMA network. Using this

feature, you can configure broadcast networks as NBMA networks when, for example, you have routers

in your network that do not support multicast addressing.

Route Authentication Methods for OSPF

OSPF Version 2 supports two types of authentication: plain text authentication and MD5 authentication.

By default, no authentication is enabled (referred to as null authentication in RFC 2178).

OSPV Version 3 supports all types of authentication except key rollover.

Plain Text Authentication

Plain text authentication (also known as Type 1 authentication) uses a password that travels on the

physical medium and is easily visible to someone that does not have access permission and could use the

password to infiltrate a network. Therefore, plain text authentication does not provide security. It might

protect against a faulty implementation of OSPF or a misconfigured OSPF interface trying to send

erroneous OSPF packets.

MD5 Authentication

MD5 authentication provides a means of security. No password travels on the physical medium. Instead,

the router uses MD5 to produce a message digest of the OSPF packet plus the key, which is sent on the

physical medium. Using MD5 authentication prevents a router from accepting unauthorized or

deliberately malicious routing updates, which could compromise your network security by diverting

your traffic.

Note MD5 authentication supports multiple keys, requiring that a key number be associated with a key.

Also see “OSPF Authentication Message Digest Management” section on page 240

Authentication Strategies

Authentication can be specified for an entire process or area, or on an interface or a virtual link. An

interface or virtual link can be configured for only one type of authentication, not both. Authentication

configured for an interface or virtual link overrides authentication configured for the area or process.

If you intend for all interfaces in an area to use the same type of authentication, you can configure fewer

commands if you use the authentication command in the area configuration submode (and specify the

message-digest keyword if you want the entire area to use MD5 authentication). This strategy requires

fewer commands than specifying authentication for each interface.

Key Rollover

To support the changing of an MD5 key in an operational network without disrupting OSPF adjacencies

(and hence the topology), a key rollover mechanism is supported. As a network administrator configures

the new key into the multiple networking devices that communicate, some time exists when different

devices are using both a new key and an old key. If an interface is configured with a new key, the software

sends two copies of the same packet, each authenticated by the old key and new key. The software tracks