Re: ospf authentication

From: Joe Higgins (netsat@xxxxxxxxxxxxx)
Date: Thu May 09 2002 - 08:58:00 GMT-3

• Next message: Joe Higgins: "Re: ospf:full-mesh+non-broadcast"
• Previous message: Bauer, Rick: "RE: DLSW Custom Queuing."
• Maybe in reply to: Joe Higgins: "ospf authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I just noticed that as with the interface, you can override the area 0 authenti
cation
type that is configured at the (router -config) level on the virtual interface
border
routers by using the area 0 virtual x.x.x.x authentication or area 0 virtual x.
x.x.x
authentication message commands. Therefore I have amended my flow chart to rea
d:

The way that the IOS appears to handle virtual interface authentication is as
follows:
On the virtual border routers at the (router-conf) level is there a type "area
0
authentication virtual x.x.x.x auth or area 0 virtual x.x.x.x authentication
message"
command?
if no go to (3)
if yes, then is there a matching area 0 virt x.x.x.x virtual interface type pas
sword
configured?
if yes, then authenticate the virtual interface with that authentication type a
nd with
that password
if no, then authenticate the virtual interface with that type of authentication
 but
with a null password
(3) is there a area 0 authentication or authentication message command at the
(router-conf) level
if no, then do not do authentication
if yes, then is there a matching authentication type area 0 virt x.x.x.x passwo
rd
configured on the virtual interface
if yes, then authenticate the virtual interface with that authentication type a
nd the
configured password
if no, then configure the virtual interface with that authentication type but w
ith a
null password

Joe Higgins wrote:

> The way that the IOS appears to handle virtual interface authentication is a
s
> follows:
> On the virtual border routers is there a "area x authentication" or a "area x
> authentication message-digest" command configured at the router ospf level?
> If no, then use no authentication on the virtual link
> If yes, then look at the "area x virtual x.x.x.x etc." command for a matchin
g type
> and password
> If yes, then use that type and password to authenticate the link
> If no, i.e. no password or different type password, then authenticate using
the
> configured router ospf type level with a null password .
>
> Joe Higgins wrote:
>
> > The way that I perceive that the ospf authentication is done by the IOS is
as
> > follows:
> >
> > The IOS looks first at interface commands
> > 1) Is there an "ip ospf authentication" or "ip ospf authentication message
"
> > command on the interface ?
> > If no go to (2)
> > If yes, is there a matching type command on the interface with a password
?
> > If no, authenticate with a null password using that type level
> > If yes, then use that type of authentication and the password to form an
> > adjacency.
> >
> > (2) Is there an "area x authentication" or "area x message-digest " command
 at
> > the router ospf configuration level
> > If no,. use no authentication.
> > If yes, is there a corresponding type key or password command configured on
 the
> > interface
> > If yes, then authentication at the ospf router configured type level and an
d use
> > the interface password configured
> > If no, then authenticate at the configured router ospf type level with a n
ull
> > password.
> >
> > garcia wrote:
> >
> > > that's a good one. i would think you would get an authentication type er
ror
> > > between mismatched neighbors and only form neighbors on those that match.
> > > if you configure md5 between rtr_b -- rtr_a and type 1 clear-text between
> > > rtr_b -- rtr_c, rtr_a should only form neighbor with rtr_b and rtr_c shou
ld
> > > only form neighbor with rtr_b. did you clear ip ospf proc or reload afte
r
> > > you set up authentication?
> > >
> > > ----- Original Message -----
> > > From: Joe Higgins <netsat@optonline.net>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Wednesday, May 08, 2002 11:29 AM
> > > Subject: ospf authentication
> > >
> > > > RTR_A (area 0 ) e0 -- e0 RTR_B (area 0) e1---e0 RTR_C (area 0}
> > > >
> > > > In the above scenario if I have the following commands on all three
> > > > routers running IOS 12.1 will the routers ospf authenticate using md5
> > > > encryption on that network segment even though on the router
> > > > configuration level I have specified plain text configuration? From
> > > > what I see it appears that if the first command ( ip ospf authenticatio
n
> > > > message-digest) is there on the interface level it does not care what,
> > > > if anything, is on the router configuration level as far as that
> > > > interface is concerned. It only looks to the router level command if
> > > > the first interface command is not present in the configuration.
> > > >
> > > > router ospf 1
> > > > area 0 authentication
> > > >
> > > > interface Ex
> > > > ip ospf authentication message-digest
> > > > ip ospf message-digest 1 md5 cisco

• Next message: Joe Higgins: "Re: ospf:full-mesh+non-broadcast"
• Previous message: Bauer, Rick: "RE: DLSW Custom Queuing."
• Maybe in reply to: Joe Higgins: "ospf authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:53 GMT-3