How can we implement OSPF MD5 authentication on z/OS?

On each AREA statement setting the parameters for an OSPF area, specify Authentication_Type=MD5 to establish MD5 cryptographic authentication as the default security scheme to be used in the area. The area's default security scheme can be overridden on an interface basis by specifying the Authentication_Type keyword on OSPF_INTERFACE or VIRTUAL_LINK statements.

For each IP interface over which OSPF operates, specify on the OSPF_INTERFACE statement:

• authentication_type=MD5 (If this parameter is not specified, it takes on the default value specified for the area to which the interface is attached (as specified by the Attaches_To_Area parameter); if it is specified, it overrides the default value specified on the AREA statement.)

• authentication_key=key, where key is the 16-byte MD5 authentication key (a 16-byte hexadecimal string consisting of 0x plus 32 hexadecimal characters) for OSPF routers attached to this subnet. If the key is not 16 bytes long, you will see the error message EZZ7819I INVALID VALUE FOR AUTHENTICATION_KEY CODED ON OSPF_INTERFACE STATEMENT during OMPROUTE initialization.

• authentication_key_id=id, where id is the identifier of the authentication key defined with the AUTHENTICATION_KEY keyword. This is a constant numeric value from 0 - 255, with a default value of 0. It is only relevant when MD5 cryptographic authentication is employed on the interface; otherwise, it is ignored. This field is provided for compatibility with other routers that might require identification of a key identifier with the authentication key.

For each virtual link between two area border routers, specify on the VIRTUAL_LINK statement:

• authentication_type=MD5 to specify MD5 as the security scheme to be used over the virtual link. If not specified, the statement takes on the default value specified for the backbone area. Both hosts attached to the virtual link must be configured with the same security scheme.

• authentication_key=key, where key is the 16-byte MD5 authentication key (a 16-byte hexadecimal string consisting of 0x plus 32 hexadecimal characters) for OSPF routers attached to this subnet. If the key is not 16 bytes long, you will see the error message EZZ7819I INVALID VALUE FOR AUTHENTICATION_KEY CODED ON VIRTUAL_LINK STATEMENT during OMPROUTE initialization.

• authentication_key_id=id, where id is the identifier of the authentication key defined with the AUTHENTICATION_KEY keyword. This is a constant numeric value from 0 - 255, with a default value of 0. It is only relevant when MD5 cryptographic authentication is employed on the interface; otherwise, it is ignored. This field is provided for compatibility with other routers that might require identification of a key identifier with the authentication key.