OSPF, or Open Shortest Path First, is a routing protocol that routers use to figure out the best path for sending data across a network. It belongs to a category called link-state protocols, meaning every router in the network builds a complete map of the network’s layout and then independently calculates the shortest path to every destination. OSPF is one of the most widely deployed routing protocols inside corporate and enterprise networks, and understanding how it works is foundational to network engineering.
How OSPF Builds Its Map of the Network
Unlike simpler routing protocols that just share their routing tables with neighbors, OSPF routers share detailed information about every link they’re connected to. Each router collects these link descriptions from all other routers and assembles them into a shared database called the link-state database. Every router in the same area maintains an identical copy of this database, so they all have the same picture of the network’s topology.
Once a router has its complete map, it runs a mathematical algorithm called Dijkstra’s shortest-path-first algorithm to build a tree of the best routes, with itself as the root. This is where the “Shortest Path First” in OSPF’s name comes from. The result is a routing table that tells the router exactly where to send traffic to reach any destination in the network using the least-cost path.
The Five OSPF Packet Types
OSPF uses five distinct packet types to discover neighbors, share network information, and keep everything synchronized:
- Hello: Discovers neighboring routers, establishes relationships between them, and keeps those relationships alive over time.
- Database Description (DBD): A summary of a router’s link-state database, used to check whether two routers already have the same information or need to sync up.
- Link-State Request (LSR): Asks a neighbor for specific pieces of network information the router is missing.
- Link-State Update (LSU): Delivers the actual detailed link-state records that were requested. Think of it as an envelope containing one or more link-state advertisements.
- Link-State Acknowledgment (LSAck): Confirms receipt of updates. OSPF is a reliable protocol, so every update gets acknowledged.
How Two Routers Become Neighbors
When an OSPF router first comes online, it goes through a defined sequence of states before it’s fully synchronized with its neighbors. The process starts in the Down state, where no information has been received from a neighbor. Once the router hears a Hello packet, it moves to Init, meaning it knows a neighbor exists but hasn’t confirmed two-way communication yet.
The 2-Way state is reached when both routers have seen each other’s Hello packets and acknowledged each other by listing the other’s router ID. This is the stage where, on shared network segments like a LAN, an election takes place to choose a Designated Router (more on that below). After that, routers move through Exstart and Exchange, where they negotiate who goes first and swap database summaries. If either side is missing information, it requests the missing pieces during the Loading state. Finally, routers reach the Full state, meaning their databases are completely synchronized. Full is the normal, healthy state for OSPF neighbors.
Designated Routers Reduce Network Chatter
On a network segment where multiple routers share the same LAN, having every router form a full relationship with every other router would create an explosion of traffic. OSPF solves this by electing a Designated Router (DR) and a Backup Designated Router (BDR) on each multi-access segment.
The DR acts as a single point of contact. Instead of all routers flooding updates to each other directly, they send updates only to the DR and BDR. The DR then forwards those updates to everyone else. This dramatically cuts down on the number of relationships and advertisements the network has to manage. The DR is elected based on a priority value configured on each router’s interface, and the BDR stands ready to take over if the DR fails. On point-to-point links between just two routers, no DR election is needed.
Areas and Hierarchical Design
In a small network, every router can reasonably hold a complete map of the entire topology. But as networks grow to hundreds or thousands of routers, that database becomes enormous, and recalculating routes every time something changes gets expensive in terms of processing power. OSPF addresses this by dividing the network into areas.
The backbone area, always labeled Area 0, is the core of every OSPF network. All other areas must connect to Area 0, either directly or through a virtual link. Each area maintains its own link-state database, so routers only need the full topology of their own area. An Area Border Router (ABR) sits between Area 0 and another area, summarizing routes between them so that detailed topology information stays contained within each area.
OSPF also defines special area types to further control the amount of routing information flowing around. Stub areas block external routes (routes learned from outside the OSPF network entirely) and replace them with a simple default route. Not-so-stubby areas (NSSAs) are a middle ground: they block most external routes but allow limited external information to be imported when needed. These area types are useful at the edges of a network where routers don’t need to know about every external destination.
A separate role, the Autonomous System Boundary Router (ASBR), handles the boundary between the OSPF network and other routing domains. It’s the router responsible for importing routes from other protocols or networks into OSPF.
How OSPF Calculates Cost
OSPF chooses the best path based on a metric called cost, which is tied to the bandwidth of each link. The formula divides a reference bandwidth by the actual bandwidth of the interface. By default, the reference bandwidth is 100 Mbps. So a 100 Mbps link gets a cost of 1, a 10 Mbps link gets a cost of 10, and a slower DSL connection at 768 Kbps gets a cost of about 133.
The total cost of a route is the sum of costs across every link from the source router to the destination. The path with the lowest total cost wins. One thing to watch for: because the default reference bandwidth is 100 Mbps, any interface at 100 Mbps or faster (Gigabit Ethernet, 10 Gigabit, etc.) all end up with a cost of 1, making them indistinguishable. In modern networks, administrators typically raise the reference bandwidth to something like 10,000 Mbps or higher so that faster links are properly differentiated.
Default Timers
OSPF routers send Hello packets at regular intervals to confirm their neighbors are still alive. On broadcast networks like standard Ethernet LANs, the default Hello interval is 10 seconds, and the dead interval (the time a router waits before declaring a neighbor unreachable) is 40 seconds. On non-broadcast multi-access networks, these timers are longer: 30 seconds for Hello and 120 seconds for the dead interval. Both sides of a link must use matching timer values or they won’t form a neighbor relationship, which is a common misconfiguration to check for when troubleshooting.
OSPFv2 vs. OSPFv3
The original version of OSPF, version 2, was designed for IPv4 networks. OSPFv3 was developed to support IPv6 and introduced several architectural changes beyond just accommodating larger addresses. OSPFv3 operates on a per-link basis rather than per-subnet, and it uses IPv6 link-local addresses for neighbor communication. The packet header was trimmed from 24 bytes down to 16, and the network mask field was removed entirely since adjacencies no longer depend on matching subnet information.
One notable security change: OSPFv2 includes authentication fields directly in its packet header, supporting plain-text passwords and MD5 checksums. OSPFv3 removed built-in authentication altogether and instead relies on IPsec, the security framework built into IPv6, to protect routing updates. This offloads security to a more robust, standardized mechanism rather than handling it within the routing protocol itself.
Securing OSPF
Because OSPF routers trust the routing information they receive from neighbors, an attacker who can inject fake OSPF packets could redirect traffic or cause outages. Authentication prevents this by ensuring routers only accept updates from trusted peers. OSPFv2 supports three approaches: plain-text passwords (which offer minimal real security since the password is visible in the packet), MD5 authentication (which includes a cryptographic checksum so the password itself never crosses the wire), and IPsec-based authentication for stronger protection. MD5 authentication is the most commonly deployed option for OSPFv2 networks, where each interface is configured with a shared key that both sides must match before accepting routing updates.