We have a large network with Miktotik devices. We are running OSPF on these devices and it works with no issues. However, when OSPF was deployed, no authentication were configured.
Now we know this is a security threat and we want to enable MD5 authentication on all devices.
Besides large, our network is very extense in terms of geographical area. We administer routers +30km away from our NOC, so losing conection with these devices when changing configuration is not an option.
What is the best practice for doing this, and what risks can we expect?
Thaks y'all

as MD5 isn't a good hash for security and can easily cracked it will not add much security to your network. On all layer2 segments where you "speak" OSPF only your devices should be connected. Wireless links should be encrypted anyway.

Most important is to turn OSPF off for all interfaces which face customers. or put it in passivemode.
I always put all interfaces by default in passive mode and only turn OSPF at interface where i need it.

If you want to change configuration regarding to OSPF and you are afraid to lose connectivity to a device look for a different way to access it. For important devices you should have some kind of Out-Of-Band anyway: 3G, GSM Modem for remote console....

Also MAC-Telnet can help in your case. just access the router from it's direct neighbor via MAC-telnet. It's really a nice feature when it comes to changes like routing or ip address changes.

as MD5 isn't a good hash for security and can easily cracked it will not add much security to your network. On all layer2 segments where you "speak" OSPF only your devices should be connected. Wireless links should be encrypted anyway.

Most important is to turn OSPF off for all interfaces which face customers. or put it in passivemode.
I always put all interfaces by default in passive mode and only turn OSPF at interface where i need it.

If you want to change configuration regarding to OSPF and you are afraid to lose connectivity to a device look for a different way to access it. For important devices you should have some kind of Out-Of-Band anyway: 3G, GSM Modem for remote console....

Also MAC-Telnet can help in your case. just access the router from it's direct neighbor via MAC-telnet. It's really a nice feature when it comes to changes like routing or ip address changes.

Thanks for your answer

Hi
Just add a gateway with distance 111 as backup if the OSPF are not running ok then you would not los the connection to your routers.

OSPF Authentication is considered a best practice because it makes it much harder for rogue devices to form an adjacency either maliciously or accidentally.

More reading on OSPF Authentication

http://etherealmind.com/response-how-ba ... ing-freak/

Several ways to ensure you don't lose connectivity during the change:

1) Safe Mode - if you don't get it quite right, safe mode will bail you out by rolling back when disconnected
2) Change the remote end and work your way in while using safe mode
3) Temporary static routes - can be helpful to retain management while making changes
4) MAC Telnet - if you have layer 2 adjacency, then you can get in that way - be sure to test and verify it works before making changes

Good Luck!

OSPF Authentication is considered a best practice because it makes it much harder for rogue devices to form an adjacency either maliciously or accidentally.

More reading on OSPF Authentication

http://etherealmind.com/response-how-ba ... ing-freak/

Several ways to ensure you don't lose connectivity during the change:

1) Safe Mode - if you don't get it quite right, safe mode will bail you out by rolling back when disconnected
2) Change the remote end and work your way in while using safe mode
3) Temporary static routes - can be helpful to retain management while making changes
4) MAC Telnet - if you have layer 2 adjacency, then you can get in that way - be sure to test and verify it works before making changes

Good Luck!

Thanks for all your answers! We have succesfully enabled autentication on all routers.
Using static routes and starting from the outside to the backbone