Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2622
Views
0
Helpful
2
Replies

"message-digest-key" vs "authentication-key"

joshua4191
Level 1
Level 1

‎08-27-2018 05:50 PM

Hi, I am interested in what the difference is between these 2 configs

 

Config 1

interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip ospf authentication-key testing1
speed auto
duplex auto
end

R1#show run | s ospf
ip ospf authentication-key testing1
router ospf 1
area 0 authentication message-digest
network 10.1.1.1 0.0.0.0 area 0

 

I used Wireshark to capture the hello packet that this config generated.  I found that it generated a hashed value.  I also found that 2 routers can peer with this config.  This surprised me because I thought that the command "ip ospf authentication-key <key>" was for plain text authentication only.

 

Config 2

interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 testing1
shutdown
speed auto
duplex auto
end

R1#show run | s ospf
ip ospf message-digest-key 1 md5 testing1
router ospf 1
area 0 authentication message-digest
network 10.1.1.1 0.0.0.0 area 0

 

This is the config that I was taught to use for MD5 authentication.

 

Is the only difference between these commands the ability to state a key number?

Is config 1 secure?

 

Labels:
0 Helpful
2 Replies 2

chanmarcus
Level 1
Level 1

‎08-27-2018 10:43 PM

Background Information
These are the three different types of authentication supported by OSPF.

Null Authentication—This is also called Type 0 and it means no authentication information is included in the packet header. It is the default.

Plain Text Authentication—This is also called Type 1 and it uses simple clear-text passwords.

MD5 Authentication—This is also called Type 2 and it uses MD5 cryptographic passwords.

Authentication does not need to be set. However, if it is set, all peer routers on the same segment must have the same password and authentication method. The examples in this document demonstrate configurations for both plain text and MD5 authentication.
0 Helpful

joshua4191
Level 1
Level 1
In response to chanmarcus

‎08-28-2018 08:01 PM

Thanks for the reply

 

In "Config 1" under fa0/0 I am using the plain text interface command.  In router config, I am using the MD5 command.  But I find that it still works.  I even see in a packet capture that the key is hashed.

 

For plain text you should use the commands:

router ospf 1

 area 0 authentication

interface fa0/0

ip ospf authentication-key {key}

 

For MD5 you should use the commands

router ospf 1

area 0 authentication message-digest

interface fa0/0

ip ospf message-digest-key {key number] md5 {key}

 

Is there any negative impact from using this mixed config as shown in "Config 1"?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card