​Junos OSPF Authentication Example

On Junos, it is generally accepted there are three authentication types for OSPF.

  • None – no authentication is used.
  • Simple – Clear text passwords are used.
  • MD5 – An MD5 hash is used.

There is a fourth method, using IPSec, which we’ll demonstrate later in this post.

In all cases, the authentication is configured under the interface, under the protocols ospf stanza.

Lab Environment

This lab uses two vJunos Routers connected via ge-0/0/0.

  • Interfaces are already configured.
  • Basic OSPF is already configured.

The relevant baseline configuration from R1 is shown below. R2 is configured similarly.

lab@vRouter-1> show configuration interfaces ge-0/0/0  
description "vQFX-1 xe-0/0/6";
unit 0 {
    family inet {
        address 172.16.0.1/24;
    }
}

lab@vRouter-1> show configuration interfaces lo0         
unit 0 {
    family inet {
        address 192.168.0.1/32;
    }
}

lab@vRouter-1> show configuration routing-options 
router-id 192.168.0.1;

lab@vRouter-1> show configuration protocols 
ospf {
    area 0.0.0.0 {
        interface lo0.0 {
            passive;
        }
        interface ge-0/0/0.0;
    }
    reference-bandwidth 100g;
}

lab@vRouter-1>

Let’s check the neighbors and routes. In this case, we should have a route to R2’s loopback address.

lab@vRouter-1> show ospf neighbor    
Address          Interface              State           ID               Pri  Dead
172.16.0.2       ge-0/0/0.0             Full            192.168.0.2      128    38

lab@vRouter-1> show route protocol ospf 

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.0.2/32     *[OSPF/10] 00:02:59, metric 100
                    >  to 172.16.0.2 via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 00:05:29, metric 1
                       MultiRecv

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

lab@vRouter-1>

OSPF Simple Authentication Example

Simple authentication allows for the use of a single password, which is sent in clear text.

The basic format of the command is shown below.

set protocols ospf area <<area>> interface <<interface>> authentication simple-password <<Password>>

set protocols ospf area 0 interface ge-0/0/0.0 authentication simple-password Juniper

Let’s now configure this on R1.

lab@vRouter-1> edit 
Entering configuration mode

[edit]
lab@vRouter-1# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0;
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication simple-password Juniper 

[edit]
lab@vRouter-1# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        authentication {
            simple-password "$9$w92oZHqfn/tUj/tuOcSwYg"; ## SECRET-DATA
        }
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# commit and-quit 
commit complete
Exiting configuration mode

lab@vRouter-1>

R2 is configured the same as R1. We can now look at R1 to confirm the OSPF adjacency is up.

lab@vRouter-1> show ospf neighbor           
Address          Interface              State           ID               Pri  Dead
172.16.0.2       ge-0/0/0.0             Full            192.168.0.2      128    33

lab@vRouter-1> 

Next, we can check the detailed output for the OSPF interface.

lab@vRouter-1> show ospf interface ge-0/0/0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
ge-0/0/0.0          BDR     0.0.0.0         192.168.0.2     192.168.0.1        1
  Type: LAN, Address: 172.16.0.1, Mask: 255.255.255.0, MTU: 1500, Cost: 100
  DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: Password
  Protection type: None
  Topology default (ID 0) -> Cost: 100

lab@vRouter-1

Notice the output shows the authentication type as password.

Packet Capture

Shown below is a capture of an OSPF hello packet. The authentication is carried in the OSPF header. The password is cleartext.

OSPF MD5 Authentication Example

The configuration for MD5 authentication is similar. Instead of just a password, we need to set a key id as well. We can set multiple MD5 passwords, and can optionally set a start time for when the key becomes valid. Note, that the time is taken from the local device, which has implications for timezones and daylight savings.

Both the key id and the password need to match between the two devices.

The general format of the command is:

set protocols ospf area <<area>> interface <<interface>> authentication md5 <<key-id>> key <<password>> start-time YYYY-MM-DD.HH:MM

set protocols ospf area 0 interface ge-0/0/0.0 authentication md5 1 key Juniper start-time 2024-01-01.00:01

Here is the configuration for R1.

lab@vRouter-1> edit 
Entering configuration mode

[edit]
lab@vRouter-1# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0;
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication md5 1 key Juniper 

[edit]
lab@vRouter-1# show protocols ospf                                                                
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        authentication {
            md5 1 key "$9$cuArKWNdsJGiLxGik.zFcyl"; ## SECRET-DATA
        }
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# commit and-quit 
commit complete
Exiting configuration mode

lab@vRouter-1>

We can now check the OSPF interface detail.

lab@vRouter-1> show ospf interface ge-0/0/0.0 detail    
Interface           State   Area            DR ID           BDR ID          Nbrs
ge-0/0/0.0          BDR     0.0.0.0         192.168.0.2     192.168.0.1        1
  Type: LAN, Address: 172.16.0.1, Mask: 255.255.255.0, MTU: 1500, Cost: 100
  DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: MD5, Active key ID: 1, Start time: 1970 Jan  1 00:00:00 UTC
  Protection type: None
  Topology default (ID 0) -> Cost: 100

lab@vRouter-1>

The interface detailed output shows that we’re using MD5 authentication, which key is active, and what the valid start time of the key is. Because we didn’t specify a start time, it seems to use the UNIX epoch date – January 1st 1970.

Packet Capture

Shown below is a capture of an OSPF hello packet. The authentication is carried in the OSPF header. We can see the key id, and that the password is hashed and not in cleartext.

OSPF Multiple MD5 Authentication Example

From Junos 22.4R1, we can configure the router to send two OSPF MD5 keys at once. This is another method to ease the transition from one OSPF password to another.

To do this, we use the multi-active-md5 configuration. This is mutually exclusive with md5 authentication.

To show this, first I’ll set a normal MD5 password, then set multi-active, and show how they overwrite one another.

lab@vRouter-1> edit                  
Entering configuration mode

[edit]
lab@vRouter-1# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0;
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication md5 1 key Juniper 

[edit]
lab@vRouter-1# show protocols ospf                                                                
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        authentication {
            md5 1 key "$9$13AESl8X-24ZKM4ZUjPf1Rh"; ## SECRET-DATA
        }
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication multi-active-md5 1 key Juniper2 

[edit]
lab@vRouter-1# show protocols ospf                                                                              
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        authentication {
            multi-active-md5 1 key "$9$twiB01ElK8db2cyb24aiHtuOISr"; ## SECRET-DATA
        }
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# 

Now, let’s set R1 with multi-active-md5 and R2 with a regular MD5 configuration to see how they work together.

lab@vRouter-1> edit 
Entering configuration mode

[edit]
lab@vRouter-1# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0;
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication multi-active-md5 1 key Juniper 

[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication multi-active-md5 2 key Juniper2   

[edit]
lab@vRouter-1# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        authentication {
            multi-active-md5 1 key "$9$iqPT69pRhrz3hrev7Nik."; ## SECRET-DATA
            multi-active-md5 2 key "$9$6LFOCpOhSeX7V1R7VwYZG69AuIE"; ## SECRET-DATA
        }
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# commit and-quit 
commit complete
Exiting configuration mode

lab@vRouter-1>

R2’s OSPF configuration looks like this:

lab@vRouter-2> show configuration protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        authentication {
            md5 1 key "$9$RV6crKX7V4aUM8aUjH5TRhS"; ## SECRET-DATA
        }
    }
}
reference-bandwidth 100g;

lab@vRouter-2>

Now, from R1 we can check the OSPF neighbor and interface detail.

lab@vRouter-1> show ospf neighbor 
Address          Interface              State           ID               Pri  Dead
172.16.0.2       ge-0/0/0.0             Full            192.168.0.2      128    33

lab@vRouter-1> show ospf interface ge-0/0/0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
ge-0/0/0.0          BDR     0.0.0.0         192.168.0.2     192.168.0.1        1
  Type: LAN, Address: 172.16.0.1, Mask: 255.255.255.0, MTU: 1500, Cost: 100
  DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: MD5, Active key ID: 2
   , Active key ID: 1
  Protection type: None
  Topology default (ID 0) -> Cost: 100

lab@vRouter-1> 

The auth type line shows two active keys.

Currently, R1 has two active keys, and R2 is using key 1 with the ‘Juniper’ password. Let’s update R2 to use the second key and see what happens.

lab@vRouter-2> edit 
Entering configuration mode

[edit]
lab@vRouter-2# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        authentication {
            md5 1 key "$9$RV6crKX7V4aUM8aUjH5TRhS"; ## SECRET-DATA
        }
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-2# delete protocols ospf area 0 interface ge-0/0/0.0 authentication md5 1 

[edit]
lab@vRouter-2# set protocols ospf area 0 interface ge-0/0/0.0 authentication md5 2 key Juniper2 

[edit]
lab@vRouter-2# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        authentication {
            md5 2 key "$9$9l5wt01Srv7-wRh-wYgUD9ApOEc"; ## SECRET-DATA
        }
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-2# commit and-quit 
commit complete
Exiting configuration mode

lab@vRouter-2> show ospf neighbor 
Address          Interface              State           ID               Pri  Dead
172.16.0.1       ge-0/0/0.0             Full            192.168.0.1      128    33

lab@vRouter-2> show ospf interface ge-0/0/0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
ge-0/0/0.0          DR      0.0.0.0         192.168.0.2     192.168.0.1        1
  Type: LAN, Address: 172.16.0.2, Mask: 255.255.255.0, MTU: 1500, Cost: 100
  DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: MD5, Active key ID: 2, Start time: 1970 Jan  1 00:00:00 UTC
  Protection type: None
  Topology default (ID 0) -> Cost: 100

lab@vRouter-2>

Technically, the first MD5 key did not need to be deleted, it could have been left in place. Unless a start date and time is set, the highest key id will be the active authentication key.

From the OSPF interface output we can see R2 is now using key id 2.

On R1, what happens if we try to add a third key under the multi-active-md5 configuration?

[edit]
lab@vRouter-1# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        authentication {
            multi-active-md5 1 key "$9$iqPT69pRhrz3hrev7Nik."; ## SECRET-DATA
            multi-active-md5 2 key "$9$6LFOCpOhSeX7V1R7VwYZG69AuIE"; ## SECRET-DATA
            multi-active-md5 3 key "$9$Q-523/ABIcvWxp0WxNdg4QFnC0B"; ## SECRET-DATA
        }
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# commit check 
[edit protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication]
  'multi-active-md5 3'
    Number of multi active MD5 keys exceeds limit of two per interface
error: configuration check-out failed

[edit]
lab@vRouter-1#

We can delete one of the previous keys to fix this issue.

Packet Capture

Since the OSPF header is a fixed format, what we observe is R1 sending two OSPF packets at a time, one with each key id and hashed password. We do not see a packet with two keys in the OSPF header, which might be what you would expect to see.

If you look at the following packet capture and the times of the packets, you’ll see that R1 (172.16.0.1) seems to be sending two packets at nearly the same time, to every packet that R2 seems to be sending.

Looking at packet 10 in more detail, we see it has key id 2 in the OSPF header.

Looking at packet 11, we see key id 1.

OSPF with IPSec SA

We can use the same method we used for OSPFv3 authentication.

The configuration for R1 and R2 is the same. R1 is shown below. I’m using the AH protocol instead of ESP, so the traffic is authenticated but not encrypted. This allows us to see what is happening in a packet capture.

[edit]
lab@vRouter-1# show security 
ipsec {
    security-association sa-for-ospf {
        mode transport;
        manual {
            direction bidirectional {
                protocol ah;
                spi 256;
                authentication {
                    algorithm hmac-sha-256-128;
                    key ascii-text "$9$9TKNCORKvLxNbKMYoJG.mBIEheWXxd2gJN-HqPfn68X7Ns4UDkPT3mPSrleW8JGUimfz36t0Bn6vWxNbwz3n/0B1RhSlK0O"; ## SECRET-DATA
                }
            }
        }
    }
}

[edit]
lab@vRouter-1# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        ipsec-sa sa-for-ospf;
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1#

The OSPF neighbor and interface output looks like this:

lab@vRouter-1> show ospf neighbor    
Address          Interface              State           ID               Pri  Dead
172.16.0.2       ge-0/0/0.0             Full            192.168.0.2      128    39

lab@vRouter-1> show ospf interface ge-0/0/0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
ge-0/0/0.0          BDR     0.0.0.0         192.168.0.2     192.168.0.1        1
  Type: LAN, Address: 172.16.0.1, Mask: 255.255.255.0, MTU: 1500, Cost: 100
  DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  IPSec SA name: sa-for-ospf
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Cost: 100

lab@vRouter-1>

Packet Capture

Looking at the detail of just one packet, there is an authentication header, and the OSPF header has an auth type of null.

OSPF with IPSec SA And OSPF Authentication

We can combine the IPSec security association and OSPF authentication.

We update R1 so the OSPF stanza now looks like this:

[edit]
lab@vRouter-1# show protocols ospf 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        authentication {
            md5 1 key "$9$D/H.f36A1RSTzRSreXxDik"; ## SECRET-DATA
        }
        ipsec-sa sa-for-ospf;
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1# commit 
commit complete

[edit]
lab@vRouter-1#

The detailed OSPF interface output shows the use of both the IPSec SA and authentication.

lab@vRouter-1> show ospf neighbor         
Address          Interface              State           ID               Pri  Dead
172.16.0.2       ge-0/0/0.0             Full            192.168.0.2      128    32

lab@vRouter-1> show ospf interface ge-0/0/0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
ge-0/0/0.0          BDR     0.0.0.0         192.168.0.2     192.168.0.1        1
  Type: LAN, Address: 172.16.0.1, Mask: 255.255.255.0, MTU: 1500, Cost: 100
  DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  IPSec SA name: sa-for-ospf
  Auth type: MD5, Active key ID: 1, Start time: 1970 Jan  1 00:00:00 UTC
  Protection type: None
  Topology default (ID 0) -> Cost: 100

lab@vRouter-1> 

Packet Capture

This time we see both an authentication header for the packet and authentication in the OSPF header.

OSPF Authentication With Apply Groups Example

To make applying authentication easier, we can use apply groups. This allows us to configure the authentication once, and have it applied to many interfaces.

To start with, we’ll create and show the group.

[edit]
lab@vRouter-1# set groups group-ospf-auth protocols ospf area <*> interface <ge-*> authentication md5 1 key Juniper 

[edit]
lab@vRouter-1# show groups 
group-ospf-auth {
    protocols {
        ospf {
            area <*> {
                interface <ge-*> {
                    authentication {
                        md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
                    }
                }
            }
        }
    }
}

[edit]
lab@vRouter-1#

The wildcards for the area, <*>, and interface, <ge-*>, match any area, and any interface that starts with ge.

After we create the configuration group, we need to apply it. In this case, we’ll apply it at the ospf level.

[edit]
lab@vRouter-1# set protocols ospf apply-groups group-ospf-auth 

[edit]
lab@vRouter-1# show protocols ospf 
apply-groups group-ospf-auth;
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0;
    interface ge-0/0/1.0;
    interface ge-0/0/2.0;
    interface ge-0/0/3.0;
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1#

Initially, the configuration does not look that different. We need to use display inheritance to see the effect of the applied configuration group.

[edit]
lab@vRouter-1# show protocols ospf | display inheritance 
area 0.0.0.0 {
    interface lo0.0 {
        passive;
    }
    interface ge-0/0/0.0 {
        ##
        ## 'authentication' was inherited from group 'group-ospf-auth'
        ##
        authentication {
            ##
            ## '1' was inherited from group 'group-ospf-auth'
            ## '$9$gVaGjmfzCtOHqtO1RlegoJ' was inherited from group 'group-ospf-auth'
            ##
            md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
        }
    }
    interface ge-0/0/1.0 {
        ##
        ## 'authentication' was inherited from group 'group-ospf-auth'
        ##
        authentication {
            ##
            ## '1' was inherited from group 'group-ospf-auth'
            ## '$9$gVaGjmfzCtOHqtO1RlegoJ' was inherited from group 'group-ospf-auth'
            ##
            md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
        }
    }
    interface ge-0/0/2.0 {
        ##
        ## 'authentication' was inherited from group 'group-ospf-auth'
        ##
        authentication {
            ##
            ## '1' was inherited from group 'group-ospf-auth'
            ## '$9$gVaGjmfzCtOHqtO1RlegoJ' was inherited from group 'group-ospf-auth'
            ##
            md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
        }
    }
    interface ge-0/0/3.0 {
        ##
        ## 'authentication' was inherited from group 'group-ospf-auth'
        ##
        authentication {
            ##
            ## '1' was inherited from group 'group-ospf-auth'
            ## '$9$gVaGjmfzCtOHqtO1RlegoJ' was inherited from group 'group-ospf-auth'
            ##
            md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
        }
    }
}
reference-bandwidth 100g;

[edit]
lab@vRouter-1#

Normally I would use ‘| except ##’ to exclude the lines telling me where the config was inherited from, but that also excludes the line with the md5 key, due to the ## SECRET-DATA at the end of the line. Let’s use display set instead.

[edit]
lab@vRouter-1# show protocols ospf | display inheritance | display set 
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 authentication md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"
set protocols ospf area 0.0.0.0 interface ge-0/0/2.0 authentication md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"
set protocols ospf area 0.0.0.0 interface ge-0/0/3.0 authentication md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"
set protocols ospf reference-bandwidth 100g

[edit]
lab@vRouter-1#

Don’t forget to commit the config when you’re done so it all takes effect.

As you can see, the configuration group makes it very easy to set the same password across many interfaces. It also makes rolling the key over easier as you only have to change it once, rather than under each interface.

Summary

Junos offers three main ways of authentication OSPF – none, simple, or MD5. You can also use IPSec security associations, similar to OSPFv3.

Later versions of Junos support having two MD5 keys active by using the multi-active-md5 command.

The packet captures showed what each method looks like as it traverses over the network.

Finally, we looked at how configuration or apply groups can simplify setting authentication on many interfaces.

Leave a Comment

Your email address will not be published. Required fields are marked *