From: McCallum, Robert (Robert.McCallum@xxxxxxxxxxxxxxxxxx)
Date: Fri Nov 09 2001 - 05:57:30 GMT-3
Brad,
This subject drove me absolutely to the brink of drink yesterday. I have a hom
e lab with some 12.1 and some 11.3 routers. Until now I must have lucked out o
n the routers when doing a) area authentication and b) virtual link authenticat
ion until yesterday that was. I couldn't fathom out what was
wrong when absolutely no virtual links would authenticate and one link in area
0 wouldn't ahtenticate also. I came to the conclusion that if you had 11.3 you
could not authenticate with 12.1. Especially such that when doing 12.1 you ca
n type in the command
area 0 virtual-link blah authentication message-digest message-digest-key 1 md5
robert
When you look into the config it puts it into 2 lines. i.e. area 0 virtual-lin
k blah auth message digest then area 0 message-digest-key 1 md5 robert.
You do not then have to put area 0 authentication on the router which you have
extended area 0 to.
With 11.3 you cannot do the one line virtual link you have to do area 0 virtual
-link blah auth message-digest then area 0 virtual-link blah message-digest-key
1 md5 robert and then you need to stick area 0 auth message-digest-key on the
router that you have extended the area 0 to.
Try to mix and match these parameters and you always get when doing a debug ip
ospf pack sending with youngest key 0 when in fact the youngest key is 1 so the
y will never authenticate.
Nightmare ( A horse in pyjamas)
Yesterday was a day that totally demoralised me (fat fingering and the authenti
cation issue). I just hope the same doesn't happen on the 15th.
-----Original Message-----
From: Brad Ellis [mailto:bellis@ccbootcamp.com]
Sent: 09 November 2001 05:17
To: ccielab@groupstudy.com
Subject: security question - md5
Does anyone know if IOS v.11.3 calculates the MD5 hashing algorithm
differently than 12.0 (is there a different version of MD5 that 11.3 uses
vs. 12.0)? I have a couple routers trying to do some OSPF authentication,
one with 11.3 and the other with 12.0. They would not authenticate with
each other even though the keys were identical. Using the same config, it
worked when I put 12.1 code on the router. Which tells me there is either
a) an incompatibility between 11.3 MD5 and 12.0 MD5 or a bug in the IOS I
was using. Im leaning towards a bug in the IOS, since I thought MD5 was a
standard defined in RFC 1321. Is there anything Im missing? Are there
different versions of MD5 floating around?
Im having the same problem now between the same 11.3 IOS code and my PIX
while trying to authenticate RIP. So Im really leaning towards the IOS
issue, I was just curious if anyone has seen something similar.
thanks,
-Brad Ellis
CCIE#5796 (R&S / Security)
Network Learning Inc
bellis@ccbootcamp.com
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:11 GMT-3