diff options
| author | Mahdi Varasteh <varasteh@amnesh.ir> | 2023-09-12 15:09:44 +0330 |
|---|---|---|
| committer | Mahdi Varasteh <varasteh@amnesh.ir> | 2023-09-16 07:38:23 +0330 |
| commit | f5011cd5ddfd0eabe359d7013747823c6bd4ed3f (patch) | |
| tree | 0be666457c571176705bb970582b16fc4d2d688b /doc/user/ospfd.rst | |
| parent | edd243280c56018e413a5773b2e8cb82d8be8421 (diff) | |
[ospfd]: add support for RFC 5709 HMAC-SHA Auth
This patch includes:
* Implementation of RFC 5709 support in OSPF. Using
openssl library and FRR key-chain,
one can use SHA1, SHA256, SHA384, SHA512 and
keyed-MD5( backward compatibility with RFC 2328) HMAC algs.
* Updating documentation of OSPF
* add topotests for new HMAC algorithms
Signed-off-by: Mahdi Varasteh <varasteh@amnesh.ir>
Diffstat (limited to 'doc/user/ospfd.rst')
| -rw-r--r-- | doc/user/ospfd.rst | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/doc/user/ospfd.rst b/doc/user/ospfd.rst index b61c9448db..26b2b43971 100644 --- a/doc/user/ospfd.rst +++ b/doc/user/ospfd.rst @@ -599,6 +599,38 @@ Interfaces KEY is the actual message digest key, of up to 16 chars (larger strings will be truncated), and is associated with the given KEYID. +.. clicmd:: ip ospf authentication key-chain KEYCHAIN + + Specify that HMAC cryptographic authentication must be used on this interface + using a key chain. Overrides any authentication enabled on a per-area basis + (:clicmd:`area A.B.C.D authentication message-digest`) + + * ``KEYCHAIN``: Specifies the name of the key chain that contains the authentication + key(s) and cryptographic algorithms to be used for OSPF authentication. The key chain + is a logical container that holds one or more authentication keys, + allowing for key rotation and management. + + Note that OSPF HMAC cryptographic authentication requires that time never go backwards + (correct time is NOT important, only that it never goes backwards), even + across resets, if ospfd is to be able to promptly reestablish adjacencies + with its neighbours after restarts/reboots. The host should have system time + be set at boot from an external or non-volatile source (e.g. battery backed + clock, NTP, etc.) or else the system clock should be periodically saved to + non-volatile storage and restored at boot if HMAC cryptographic authentication is to be + expected to work reliably. + + Example: + + .. code:: frr + + r1(config)#key chain temp + r1(config-keychain)#key 13 + r1(config-keychain-key)#key-string ospf + r1(config-keychain-key)#cryptographic-algorithm hmac-sha-256 + r1(config)#int eth0 + r1(config-if)#ip ospf authentication key-chain temp + r1(config-if)#ip ospf area 0 + .. clicmd:: ip ospf cost (1-65535) |