Neighbor authentication is highly recommended for OSPF. It prevents unauthorized users from forming neighbor relationships and potentially compromising the network. This is especially important in a campus environment or within the enterprise. Ethernet ports are conveniently positioned for end-users to connect their devices to. The last thing a network operator would like is for an end-user to plug in a router, startup OSPF and interfere with operation of the campus or enterprise network. OSPFv2 has authentication built in. There's two ways of doing it, either via a plaintext password or an MD5 hash. Most people use the MD5 hash version. The important thing is that we have a shared secret that's not easily readable on the wire. OSPFv3 does not have authentication built in. Instead it uses the standard IP security header that's part of IPv6. There are two types supported here as well, the MD5 hash and the SHA1. Let's look at the OSPFv2 neighbor authentication configuration example. Here we're configuring authentication for area 0. Interfaces still need the authentication key. So we go to the OSPF configuration, state that area 0 is going to use authentication, simply by: 'area 0 authentication message-digest' and then we go to the interface and do: 'ip ospf message-digest-key' and whatever that key password is going to be for that interface. All other devices on that shared link need to have the same key for them to talk OSPF to each other. We can configure authentication per interface only if we want to. We don't need to configure it for the whole area. And in that case we simply go to the interface, state we're going to do neighbor authentication and then supply the key as you see in the example. For OSPFv3 we can configure authentication for interfaces in an area, by starting up the OSPF process, and doing: 'area 0 authentication ipsec spi 256 md5' and then supplying the key to be used there. Or we can configure authentication per interface. To originate a default route in OSPF, we use the simple command line: 'default-information originate' under the router OSPF process. And this will originate a default route into OSPF only if a default route exists in the RIB. For those of you who are used to IS-IS this is different behavior. If we always want to originate a default route regardless of whether there's one in the RIB or not, we go to the OSPF process and do: 'default-information originate always'. The extra 'always' keyword will ensure the default route is announced at all times. And there's equivalent commands for OSPFv3. To operate OSPF on a point-to-point Ethernet link we don't actually need a Designated Router and Backup Designated Router. There are only two devices. So what we do is we disable the DR and BDR election. And this is much more efficient. We go to the interface, and the simple keyword: 'ip ospf network point-to-point' will convert this to a point-to-point link as far as OSPF is concerned. Note that both devices on either end of the point-to-point Ethernet need the configuration command to be supplied. And there are equivalent commands for OSPFv3. Remember OSPFv2 is for IPv4 and OSPFv3 is for IPv6. The two versions of OSPF do not interact with each other at all. So to conclude the presentation, OSPF is a Link State Routing Protocol. It's quick and simple to get started, but it has a huge number of options and features to cover almost every single type of network topology. In this series here, we have covered the minimum requirements that any network operator needs to deploy OSPF. If we haven't mentioned it here, the feature is more than likely not required for your network infrastructure. Network operators keep their OSPF design simple. Minimum number of prefixes will give the fastest possible convergence. Running over 400 routers in a single area is entirely feasible.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.