OSPF allows networks to be grouped into areas. Routing information passed between areas is abstracted, potentially allowing a significant reduction in routing traffic. OSPF uses four different types of routes, listed in order of preference: intra-area, inter-area, type 1 external and type 2 external. Intra-area paths have destinations within the same area, inter-area paths have destinations in other OSPF areas and Autonomous System External (ASE) routes are routes to destinations external to the AS. Routes imported into OSPF as type 1 routes are supposed to be from igps whose external metrics are directly comparable to OSPF metrics. When a routing decision is being made, OSPF will add the internal cost to the AS Border router to the external metric. Type 2 ASEs are used for egps whose metrics are not comparable to OSPF metrics. In this case, only the internal OSPF cost to the AS Border router is used in the routing decision.
From the topology database, each router constructs a tree of the shortest paths with itself as the root. This shortest-path tree gives the route to each destination in the AS. Externally derived routing information appears on the tree as leaves. The link-state advertisement format distinguishes between information acquired from external sources and information acquired from internal routers, so there is no ambiguity about the source or reliability of routes. Externally derived routing information (for example, routes learned from EGP or BGP) is passed transparently through the autonomous system and is kept separate from OSPF's internally derived data. Each external route can also be tagged by the advertising router, enabling a passing of additional information between routers on the borders of the autonomous system.
OSPF optionally includes type of service (TOS) routing and allows administrators to install multiple routes to a given destination for each type of service (e.g. low delay or high throughput.) A router running OSPF uses the destination address and the type of service to choose the best route to the destination.
OSPF intra- and inter-area routes are always imported into the GateD routing database with a preference of 10. It would be a violation of the protocol if an OSPF router did not participate fully in the area's OSPF, so it is not possible to override this. Although it is possible to give other routes lower preference values explicitly, it is ill-advised to do so.
Hardware multicast capabilities are also used where possible to deliver link-status messages.
OSPF areas are connected by the backbone area, the area with identifier 0.0.0.0. All areas must be logically contiguous and the backbone is no exception. To permit maximum flexibility, OSPF allows the configuration of virtual links to enable the backbone area to appear contiguous despite the physical reality.
All routers in an area must agree on that area's parameters. A separate copy of the link-state algorithm is run for each area. Because of this, most configuration parameters are defined on a per area basis. All routers belonging to an area must agree on that area's configuration. Misconfiguration will lead to adjacencies not forming between neighbors, and routing information might not flow, or even loop.
Authentication
All OSPF protocol exchanges are authenticated. Authentication guarantees that routing information is only imported from trusted routers, to protect the Internet and its users. A variety of authentication schemes can be used but a single scheme must be configured for each area. This enables some areas to use much stricter authentication than others.OSPF protocol exchanges may be authenticated. Authentication guarantees that routing information is imported only from trusted routers, to protect the Internet and its users. There are two authentication schemes available. The first uses a simple authentication key of up to 8 characters and is standardized. The second is still experimental and uses the MD5 algorithm and an authentication key of up to 16 characters.
The simple password provides very little protection because in many cases it is possible to easily capture packets from the network and learn the authentication key. The experimental MD5 algorithm provides much more protection as it does not include the authentication key in the packet.
The OSPF specification currently specifies that the authentication type be configured per area with the ability to configure separate passwords per interface. This has been extended to allow the configuration of different authentication types and keys per interface. In addition it is possible to specify both a primary and a secondary authentication type and key on each interface. Outgoing packets use the primary authentication type, but incoming packets may match either the primary or secondary authentication type and key.
The OSPF Statement
ospf yes | no | on | off [ {
defaults {
preference preference ;
cost cost ;
tag [ as ] tag ;
type 1 | 2 ;
} ;
exportlimit routes ;
exportinterval time ;
traceoptions trace_options ;
monitorauthkey authkey ;
monitorauth none | ( [ simple | md5 ] authkey ) ;
backbone | ( area area ) {
authtype 0 | 1 | none | simple ;
stub [ cost cost] ;
networks {
network [ restrict ] ;
network mask mask [ restrict ] ;
network masklen number [ restrict ] ;
host host [ restrict ] ;
} ;
stubhosts {
host cost cost ;
} ;
interface interface_list; [ cost cost ] {
interface_parameters
} ;
interface interface_list nonbroadcast [ cost cost ] {
pollinterval time ;
routers {
gateway [ eligible ] ;
} ;
interface_parameters
} ;
Backbone only:
virtuallink neighborid router_id transitarea area {
interface_parameters
} ;
} ;
} ] ;
The following are the interface_parameters referred to above. They may be specified on any class of interface and are described under the interface clause. enable | disable ;
retransmitinterval time ;
transitdelay time ;
priority priority ;
hellointerval time ;
routerdeadinterval time ;
[ secondary] auth ( none| simple| md5| auth_key) ;
authkey auth_key ;
- defaults
- These parameters specify the defaults used when importing OSPF ASE routes into the gated routing table and exporting routes from the gated routing table into OSPF ASEs.
- preference preference
- The preference is used to determine how OSPF routes compete with routes from other protocols in the gated routing table. The default value is 150.
- cost cost
- The cost is used when exporting a non-OSPF route from the GateD routing table into OSPF as an ASE. The default value is 1. This may be explicitly overridden in export policy.
- tag [ as ] tag
- OSPF ASE routes have a 32 bit tag field that is not used by the OSPF protocol, but may be used by export policy to filter routes. When OSPF is interacting with an egp, the tag field may be used to propagate AS path information, in which case the as keyword is specified and the tag is limited to 12 bits of information. If not specified, the tag is set to zero.
- type 1 | 2
- Routes exported from the GateD routing table into OSPF default to becoming type 1 ASEs. This default may be explicitly changed here and overridden in export policy.
- ASE export rate
- Because of the nature of OSPF, the rate at which ASEs are flooded must be limited. These two parameters can be used to adjust those rate limits.
- exportinterval time
- This specifies how often a batch of ASE link state advertisements will be generated and flooded into OSPF. The default is once per second.
- exportlimit routes
- This parameter specifies how many ASEs will be generated and flooded in each batch. The default is 100.
- traceoptions trace_options
- Specifies the tracing options for OSPF. (See Trace Statements and the OSPF specific tracing options below.)
- monitorauthkey authkey
- OSPF state may be queried using the ospf_monitor utility. This utility sends non-standard OSPF packets which generate a text response from OSPF. By default these requests are not authenticated, if an authentication key is configured, the incoming requests must match the specified authentication key. No OSPF state may be changed by these packets, but the act of querying OSPF can utilize system resources.
- backbone
- area area
- Each OSPF router must be configured into at least one OSPF area. If more than one area is configured, at least one must the be backbone. The backbone may only be configured using the backbone keyword, it may not be specified as area 0. The backbone interface may be a virtuallink.
- authtype 0 | 1 | none | simple
- OSPF specifies an authentication scheme per area. Each interface in the area must use this same authentication scheme although it may use a different authenticationkey. The currently valid values are none ( 0) for no authentication, or simple ( 1) for simple password authentication.
- stub [ cost cost]
- A stub area is one in which there are no ASE routes. If a cost is specified, this is used to inject a default route into the area with the specified cost.
- networks
- The networks list describes the scope of an area. Intra-area LSAs that fall within the specified ranges are not advertised into other areas as inter-area routes. Instead, the specified ranges are advertised as summary network LSAs. If restrict is specified, the summary network LSAs are not advertised. Intra-area LSAs that do not fall into any range are also advertised as summary network LSAs. This option is very useful on well designed networks in reducing the amount of routing information propagated between areas. The entries in this list are either networks, or a subnetwork/mask pair. See section 4.25.1 on route filtering for more detail about specifying ranges.
- stubhosts
- This lists specifies directly attached hosts that should be advertised as reachable from this router and the costs they should be advertised with. Point-to-point interfaces on which it is not desirable to run OSPF should be specified here. It is also useful to assign a additional address to the loopback interface (one not on the 127 network) and advertise it as a stub hosts. If this address is the same one used as the router-id it enables routing to OSPF routers by router-id, instead of by interface address. This is more reliable than routing to one of the routers interface addresses which may not always be reachable.
- interface interface_list [ cost cost ]
- This form of the interface clause is used to configure a broadcast (which requires IP multicast support) or a point-to-point interface. See section 4.8.2 on interface list specification for the description of the interface_list. Each interface has a cost. The costs of all interfaces a packet must cross to reach a destination are summed to get the cost to that destination. The default cost is one, but another non-zero value may be specified.
Interface parameters common to all types of interfaces are:
- retransmitinterval time
- The number of seconds between link state advertisement retransmissions for adjacencies belonging to this interface.
- transitdelay time
- The estimated number of seconds required to transmit a link state update over this interface. Transitdelay takes into account transmission and propagation delays and must be greater than 0.
- priority priority
- A number between 0 and 255 specifying the priority for becoming the designated router on this interface. When two routers attached to a network both attempt to become designated router, the one with the highest priority wins. A router whose router priority is set to 0 is ineligible to become designated router.
- hellointerval time
- The length of time, in seconds, between Hello packets that the router sends on the interface.
- routerdeadinterval time
- The number of seconds not hearing a router's Hello packets before the router's neighbors will declare it down.
- [ secondary] auth ( none| simple| md5| auth_key)
- Specify the type of authentication scheme to use on this interface.
- authkey auth_key
- Used by OSPF authentication to generate and verify the authentication field in the OSPF header. The authentication key can be configured on a per interface basis. It is specified by one to eight decimal digits separated by periods, a one to eight byte hexadecimal string preceded by 0x, or a one to eight character string in double quotes.
- nomulticast
- By default, OSPF packets to neighbors on point-to-point interfaces are sent via the IP multicast mechanism. Although, some implementations of IP multicasting for Unix have a bug that precludes the use of IP multicasting on these interfaces. Gated will detect this condition and fall back to using sending unicast OSPF packets to this point-to-point neighbor. If the use of IP multicasting is not desired because the remote neighbor does not support it, the nomulticast parameter may be specified to force the use of unicast OSPF packets. This option may also be used to eliminate warnings when Gated detects the bug mentioned above.
- interface interface_list nonbroadcast [ cost cost ]
- This form of the interface clause is used to specify a nonbroadcast interface on a non-broadcast multi-access (NBMA) media. Since an OSPF broadcast media must support IP multicasting, a broadcast capable media, such as Ethernet, that does not support IP multicasting must be configured as a non-broadcast interface. A non-broadcast interface supports any of the standard interface clauses listed above, plus the following two that are specific to non-broadcast interfaces:
- pollinterval time
- Before adjacency is established with a neighbor, OSPF packets are sent periodically at the specified pollinterval.
- routers
- By definition it is not possible to send broadcast packets to discover OSPF neighbors on a non-broadcast, so all neighbors must be configured. The list includes one or more neighbors and an indication of their eligibility to become a designated router.
- virtuallink neighborid router_id transitarea area
- Virtual links are used to establish or increase connectivity of the backbone area. The neighborid is the router_id of the other end of the virtual link. The transit area specified must also configured on this system. All standard interface parameters defined by the interface clause above may be specified on a virtual link.
Tracing options
In addition to the following OSPF specific trace flags, OSPF supports the state which traces interface and neighbor state machine transitions.- lsabuild
- Link State Advertisement creation
- spf
- Shortest Path First (SPF) calculations
- lsatransmit
- Link State Advertisement (LSA) transmission. Non implemented.
- lsareceive
- LSA reception. Non implemented.
- state
- State transitions. Non implemented.
- hello
- OSPF HELLO packets which are used to determine neighbor reachability.
- dd
- OSPF Database Description packets which are used in synchronizing OSPF databases.
- request
- OSPF Link State Request packets which are used in synchronizing OSPF databases.
- lsu
- OSPF Link State Update packets which are used in synchronizing OSPF databases.
- ack
- OSPF Link State Ack packets which are used in synchronizing OSPF databases.
The new OSPF Protocol
Gated version 3_6Alpha_2 and higher includes a new implemetation of the OSPF protocol. The configuration syntax stays the same except:- The export limit, exportinterval, monitorauthkey, monitorauth, networks, stubhosts statements are no longer available (they may be put back in the future).
- The bf simple authentication scheme is not implemented.
- The OSPF specific trace options available are: state, drelection, db, spf, flood As for the packet details, are available: hello, dd, lsr, lsu, lsa.
