Switch User Manual

ManualsBrandsNortel Networks ManualsSwitchNN47200-503

131

132

133

134

135

136

137

138

139

140

136 IP Routing Conﬁguration and Management

Simple password mechanism The simple password security mechanism

transmits a text password in the OSPF headers. Only routers that contain

the same authentication ID in their OSPF headers can communicate with

each other.

Note: Nortel recommends not using this security mechanism

because the password is stored in plain text and can be read from the

conﬁguration ﬁle or from the OSPF packet.

To conﬁgure this authentication type on an OSPF interface of VLAN 2 using

the password test1234, use the following commands:

5530-24TFD(config)# interface vlan 2

5530-24TFD(config-if)# ip ospf authentication-type simple

5530-24TFD(config-if)# ip ospf authentication-key test1234

Message Digest 5 The Message Digest 5 (MD5) mechanism provides

128-bit encrypted authentication based on the RFC 1321 standard. MD5

authentication for OSPF security, makes it very hard for a malicious user

to compute or extrapolate the decrypting codes from the OSPF packets.

Basically, each OSPF packet has a message digest appended to it, which

needs to be matched between sending and receiving routers. The message

digest is calculated on either side, based on the MD5 Key and any padding,

then compared for a match. If the message digest does not meet the match

criteria, the packet is rejected.

Each OSPF interface supports up to 2 keys, identiﬁable by key ID, to

facilitate a smooth key transition during the rollover process. Only the

selected primary key is used to encrypt the OSPF transmit packets.

The process of key change is as follows:

Note: Assume that all routers already use the same key for

authentication and a new key is required.

1. Add the second key to all routers. The routers will continue to send

OSPF packets encrypted with the old key.

2. Activate the second key on all routers by setting it as the primary key.

Routers will send OSPF packets encrypted with the new key while still

accepting packets using the old key. This is necessary as some routers

will not have activated the new key.

3. Remove the old key when all routers activate the new key.

MD5 conﬁguration example In the conﬁguration example illustrated

below, MD5 is conﬁgured between router R1 and R2.

Nortel Ethernet Routing Switch 5500 Series

Conﬁguration-IP Routing Protocols

NN47200-503 03.01 Standard

5.1 27 August 2007