LAB: Huawei OSPF authentication mismatch

We are still in the same LAB. At this moment neighborship is formed between R1 and R2. We have seen in the hello packet that authentication on OSPF should match in order for the neighborship to be formed. By default, Huawei routers do not have any authentication on OSPF. This can cause a security hole because if anyone plug a router on the switch and configure OSPF then he can be a neighbor to our production network. For this, authentication is very important.

On Huawei you can configure authentication on area level or on interface level as following:

  • Area authentication: the authentication will be applied to packets received by all interfaces in the OSPF area.
  • Interface authentication: the authentication is configured on the interface level and is applied to all packets received by only this interface.

[mepr-show rules=”319″ unauth=”message”]

We have different authentication modes on Huawei as following:

  • Non-authentication: applied by default.
  • Simple authentication: used a clear text password which can be captured easily.
  • MD5 authentication: the password is encrypted using MD5 hash algorithm
  • Keychain authentication: it consists of multiple authentication keys in which each has an ID and a password and a lifetime. The keychain dynamically changes algorithm and keys which improves OSPF security. This is considered a very strong authentication mode in Huawei.
  • HMAC-SHA256 authentication: the password in encrypted using HMAC-SHA256 algorithm which is a strong one too.

Back to the LAB, I will keep R1 without any authentication and configure R2 with MD5 authentication.

Let’s check if R1 and R2 have neighborship now:

Indeed, they do. I will go to R2 and make the authentication (remember by default both routers have no authentication). I will enable the authentication on the interface level and not the area level, that means that I will have to apply it on G0/0/0 on R2.

Let me show you the different modes that are available on Huawei as I have explained above:

You can see them; they are all listed under the interface level. I will use the md5 authentication mode.

Here I have set the password to be cipher and I have used a weak password which is “123456” (please use a complex password in your production network). Once the dead interval is finished, we shouldn’t have neighborship between R1 and R2 anymore because R1 is running no authentication while R2 has an MD5 authentication.

Here I have received a notification on the console of R2 (same on R1) that the neighborship with R1 is down as the following:

Let’s check the neighborship using the “display ospf peer” command on R2:

Indeed, we have no more peer with R1.

That’s all what I needed to show you in this chapter. I hope you enjoyed it and see you in the upcoming chapter.



Submit a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Please Login to Reply or add a comment!