Cisco, although not explicitly stating it in a direct way, “recommends” for OSPF authentication the use of RFC 5709, which supports HMAC-SHA cryptographic authentication, instead of RFC 2328 Message-Digest 5 (MD5).
In practice, network administrators will prefer implementing stronger encryption mechanisms, recommended approach, so HMAC-SHA takes precedence over MD5.
Without any difference in expectation, the same logic should apply in a Cisco SD-WAN environment, which assumes feature configuration through a web interface, except for certain cases via CLI templates (CLI templates used to configure features in a way that mirrors CLI configuration on the device).
As expected, within the Cisco SD-WAN GUI for OSPF it is possible to configure:
- OSPF network type
- OSPF hello and dead timers
- Reference bandwidth
- OSPF cost per interface
- Whether an interface is active or passive in the OSPF process
- OSPF area configuration (which I would not recommend configuring into anything other than Area 0)
- ….
- OSPF authentication configuration
At this point, one would expect to also be able to configure a key-chain for authentication and select the HMAC protocol. However, this is not the case.
Through the Cisco SD-WAN interface, it is only possible to select:
- Message-digest authentication
- Key ID
- Password
So the question is: why is only the “legacy” cryptographic option available, and not a stronger algorithm like HMAC?
Honestly, I don’t know, and I do not understand Cisco’s logic here. It would be expected to be the other way around — that key-chain authentication is supported, not just message-digest. And I have not found any announcements suggesting this will change.
Solution:
That said, we accept it and look at what can be done. Did I mention CLI templates?
Yes, I did — and it is good that Cisco left the option to configure things in the classic way, directly mirroring CLI commands. So CLI templates can be used to create an OSPF key-chain.
But wait — does this mean that for 120 devices, I would need to know in advance which interface is running OSPF on each device and configure them individually through CLI templates?
Luckily, no. Someone did think about this and simplified the life of the SD-WAN administrator.
And this is how it works:
interface {{interface}} key-chain {{keychain}}
key chain OSPF-Auth
key
key-string xxxxx
cryptographic-algorithm hmac-sha-256
Where interface and keychain are variables that can be entered during deployment of the Configuration Group on cEdge devices.
And yes — it is good that it works this way, otherwise it would be a nightmare.