Cisco – Does OSPF use a packet checksum using MD5

ciscoospfrouting

When we configure OSPF routers with MD5 authentication, a message digest is created, which is the combination of a pre-defined message-digest-key which has been run through the MD5 algorithm; that must be the same between routers of an area, for example:

message-digest-key = cisco
md5("cisco") = "dfeaf10390e560aea745ccba53e044ed"

My Question

What part of the packet is checksummed by this MD5 hash?
Does OSPF check the whole packet? or what exactly?

Please include your references.

Best Answer

From the RFC:

            (c) The MD5 authentication algorithm is run over the
                concatenation of the OSPF packet, secret key, pad
                and length fields, producing a 16 byte message
                digest (see [Ref17]).

Related Solutions

OSPF LSA checksum error

Are all neighbors Quagga boxes as well or cisco/juniper/etc? Could be any number of things:

Bad interface on one of the neighbors
Bad interface on switch facing one of neighbors on this network
Misbehaving ospfd process on one of the quagga boxes
Bug in Quagga?
Bug in version of code running on actual router hardware (if one of your neighbors is not a Quagga box)

Cisco BGP Authentication Key Chain vs. Authentication Key – Differences Explained

Well I managed to figure this out.

The bottom line is:

Using authentication-key-chains uses the "TCP Enhanced Authentication Option"
Using authentication-key uses the "TCP MD5 Signature Option"

From https://datatracker.ietf.org/doc/html/draft-bonica-tcp-auth-06

12.4.  Backwards Compatibility

   On any particular TCP connection, use of the TCP Enhanced
   Authentication Option precludes use of the TCP MD5 Signature Option.

You simply cannot mix the two different TCP options.

My Question

Best Answer

Related Solutions

OSPF LSA checksum error

Cisco BGP Authentication Key Chain vs. Authentication Key – Differences Explained

Related Topic