From: Albert Lu (albert_ccie@xxxxxxxxx)
Date: Fri Nov 02 2001 - 06:47:29 GMT-3
Hello Group,
I just wanted to share some findings on OSPF Authentication and to confirm
them.
Lets say you have this topology:
R1----R2----R3
They are all in Area 0 and you only wanted to do authentication between R1
and R2, and not R2 and R3. Since you have to enable authentication for the
whole area, you can't leave R2 and R3 without an 'ip ospf
authentication-key' command. From what I found leaving this command out will
not allow R2 and R3 to form adjacencies with each other, so what you need to
do is use 'ip ospf authentication null' command on both R2 and R3. This will
allow adjacency to form, and not have authentication running.
This holds true for virtual links as well. If you didn't want the virtual
link to be using authentication, but your Area 0 is using authentication
then you would use 'area 1 virtual-link 5.5.5.5 authentication null'
command.
***** REVISION *****
Actually, I found out that it will default to null authentication by
default. Looking at the RFC and looking at my debug outputs, whether you
have the 'ip ospf authentication' command there at all, it will default to
null authentication. Even for md5, it will send out with the youngest key of
0!! (Since the authentication field of the ospf packet is 0)
So my observations are:
- OSPF Area with no authentication:
**Adjacencies are formed like normal
- OSPF Area with 'area x authentication' and NO 'ip ospf authentication' at
the interface
**Sends with null authentication (AuType 0) by default. Adjacencies are
formed.
- OSPF Area with 'area x authentication' and with 'ip ospf authentication
null' at the interface
**Sends with null authentication (AuType 0). Adjacencies are formed.
- OSPF Area with 'area x authetication' and with 'ip ospf authentication-key
cisco' at the interface
**Sends with clear text authentication of 'cisco' (AuType 1). Adjacenci
es
are formed
- OSPF Area with 'area x authentication message-digest' and with NO 'ip ospf
message-digest' at the interface
**Sends with null authetication. Debug shows youngest key of 0. Adjacen
cies
are formed
- OSPF Area with 'area x authentication message-digest' and with 'ip ospf
message-digest 1 md5 cisco' at the interface
**Sends with encrypted authentication (AuType 2). Adjacencies are forme
d.
Sends with youngest key of 1, and overrides youngest key of 0.
So conclusion is that adjacencies will form whether you have no
authentication commands at the interface or whether you have authentication
commands at the interface (of course the passwords must equal). This is true
for both cleartext and encrypted authentication.
So what is the point of the null option in the 'ip ospf authentication'
command?? I could swear someone told me that it was important to put the 'ip
ospf authentication null' command on an interface for interfaces that don't
need to do authentication. However, it seems like it is default for an
interface anyway.
One last thing that I noticed in Doyle I p551, the example for
authentication config on the interface was 'ip ospf authentication taos'
rather than 'ip ospf authentication-key taos'. Was this a mistake, or just
an older IOS?
Any comments??
Albert
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:01 GMT-3