From: Jason Whelan (Jasonw@xxxxxxxx)
Date: Fri Nov 09 2001 - 10:39:56 GMT-3
Even better, as far as md5 auth goes, sometimes you need to actually
type out the default commands to get it to work.
ie insetad of <conf-int>ip ospf message-digest key 1 md5 cisco
use <conf-int> ip ospf-message-digest key 1 md5 0 cisco (see the 0 for
encryption type?)
This is the default and won't show up in wr t, but i needed to retype
this comand on my area 0 for it to work.
Without it, deb ip ospf adj showed mismatched auth types and neighbors
wouldn't form. (nbma )
Weird little bug....
Jason
Jason Whelan, MCSE,MCNE,CCNP
Network Ops
Logic Communications
www.logic.bm
-----Original Message-----
From: McCallum, Robert [mailto:Robert.McCallum@let-it-be-thus.com]
Sent: Friday, November 09, 2001 4:58 AM
To: 'Brad Ellis'; ccielab@groupstudy.com
Subject: RE: security question - md5
Brad,
This subject drove me absolutely to the brink of drink yesterday. I
have a home lab with some 12.1 and some 11.3 routers. Until now I must
have lucked out on the routers when doing a) area authentication and b)
virtual link authentication until yesterday that was. I couldn't fathom
out what was
wrong when absolutely no virtual links would authenticate and one link
in area 0 wouldn't ahtenticate also. I came to the conclusion that if
you had 11.3 you could not authenticate with 12.1. Especially such that
when doing 12.1 you can type in the command
area 0 virtual-link blah authentication message-digest
message-digest-key 1 md5 robert
When you look into the config it puts it into 2 lines. i.e. area 0
virtual-link blah auth message digest then area 0 message-digest-key 1
md5 robert.
You do not then have to put area 0 authentication on the router which
you have extended area 0 to.
With 11.3 you cannot do the one line virtual link you have to do area 0
virtual-link blah auth message-digest then area 0 virtual-link blah
message-digest-key 1 md5 robert and then you need to stick area 0 auth
message-digest-key on the router that you have extended the area 0 to.
Try to mix and match these parameters and you always get when doing a
debug ip ospf pack sending with youngest key 0 when in fact the youngest
key is 1 so they will never authenticate.
Nightmare ( A horse in pyjamas)
Yesterday was a day that totally demoralised me (fat fingering and the
authentication issue). I just hope the same doesn't happen on the 15th.
-----Original Message-----
From: Brad Ellis [mailto:bellis@ccbootcamp.com]
Sent: 09 November 2001 05:17
To: ccielab@groupstudy.com
Subject: security question - md5
Does anyone know if IOS v.11.3 calculates the MD5 hashing algorithm
differently than 12.0 (is there a different version of MD5 that 11.3
uses
vs. 12.0)? I have a couple routers trying to do some OSPF
authentication,
one with 11.3 and the other with 12.0. They would not authenticate with
each other even though the keys were identical. Using the same config,
it
worked when I put 12.1 code on the router. Which tells me there is
either
a) an incompatibility between 11.3 MD5 and 12.0 MD5 or a bug in the IOS
I
was using. Im leaning towards a bug in the IOS, since I thought MD5 was
a
standard defined in RFC 1321. Is there anything Im missing? Are there
different versions of MD5 floating around?
Im having the same problem now between the same 11.3 IOS code and my PIX
while trying to authenticate RIP. So Im really leaning towards the IOS
issue, I was just curious if anyone has seen something similar.
thanks,
-Brad Ellis
CCIE#5796 (R&S / Security)
Network Learning Inc
bellis@ccbootcamp.com
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:11 GMT-3