Fortinet black logo

New Features

Home FortiGate / FortiOS 7.0.0 New Features

OSPF HMAC-SHA authentication 7.0.1

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:53595
Download PDF

OSPF HMAC-SHA authentication 7.0.1

This enhancement adds support for RFC 5709 HMAC-SHA cryptographic authentication for OSPF. Prior to 7.0.1, only MD5 was supported.

An option to set the algorithm is available in the router key chain configuration:

config router key-chain
    edit <name>
        config key
            edit <id>
                ...
                set algorithm {md5 | hmac-sha1 | hmac-sha256 | hmac-sha384 | hmac-sha512}
            next
        end
    next
end
Note

The available options for set authentication in the OSPF settings are now none, text, and message-digest.
To configure HMAC-SHA cryptographic authentication for OSPF:
  1. Configure the router key chain:
    config router key-chain
    edit "11"
        config key
            edit "1"
                set accept-lifetime 01:01:01 01 01 2021 2147483646
                set send-lifetime 01:01:01 01 01 2021 2147483646
                set key-string **********
                set algorithm hmac-sha512
            next
        end
    next
end
  2. Configure OSPF:
    config router ospf
    set router-id 2.2.2.2
    config area
        edit 0.0.0.0
            set authentication message-digest
        next
    end
    config ospf-interface
        edit "1"
            set interface "port1"
            set authentication message-digest
            set md5-keychain "11"
        next
    end
end
  3. Verify that the OSPF neighbor can be established:
    # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   Full/DR         00:00:37    12.1.1.1        port1
Previous
Next

OSPF HMAC-SHA authentication 7.0.1

This enhancement adds support for RFC 5709 HMAC-SHA cryptographic authentication for OSPF. Prior to 7.0.1, only MD5 was supported.

An option to set the algorithm is available in the router key chain configuration:

config router key-chain
    edit <name>
        config key
            edit <id>
                ...
                set algorithm {md5 | hmac-sha1 | hmac-sha256 | hmac-sha384 | hmac-sha512}
            next
        end
    next
end
Note

The available options for set authentication in the OSPF settings are now none, text, and message-digest.
To configure HMAC-SHA cryptographic authentication for OSPF:
  1. Configure the router key chain:
    config router key-chain
    edit "11"
        config key
            edit "1"
                set accept-lifetime 01:01:01 01 01 2021 2147483646
                set send-lifetime 01:01:01 01 01 2021 2147483646
                set key-string **********
                set algorithm hmac-sha512
            next
        end
    next
end
  2. Configure OSPF:
    config router ospf
    set router-id 2.2.2.2
    config area
        edit 0.0.0.0
            set authentication message-digest
        next
    end
    config ospf-interface
        edit "1"
            set interface "port1"
            set authentication message-digest
            set md5-keychain "11"
        next
    end
end
  3. Verify that the OSPF neighbor can be established:
    # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   Full/DR         00:00:37    12.1.1.1        port1
Previous
Next