Re: Re[2]: OSPF Virtual Link Authentication
From: Jay (ccienxtyear@hotmail.com)
Date: Fri Sep 06 2002 - 17:28:45 GMT-3
Hi,
Virtual link is part of area 0. If you enable authentication in area 0, then
you need to setup authentication on the virtual link, or vice versa:
area 0 authentication message-digest
area 126 virtual-link 6.6.6.6 message-digest-key 1 md5 cisco
Or if you do not require authentication on the Virtual link, just type
area 126 virtual-link 6.6.6.6 authentication null
thanks,
Jay
----- Original Message -----
From: "Jim Brown" <Jim.Brown@caselogic.com>
To: "'syv'" <syv@911networks.com>; "Ivan Centeno" <icenteno2001@yahoo.com>
Cc: <ccielab@groupstudy.com>
Sent: Thursday, September 05, 2002 3:55 PM
Subject: RE: Re[2]: OSPF Virtual Link Authentication
> I think you can enable per interface authentication with virtual links
> without enabling authentication in area 0.
>
> I pretty sure on this, but I don't want to state it as fact since I've
> already been wrong on one post this week.
>
>
>
> -----Original Message-----
> From: syv [mailto:syv@911networks.com]
> Sent: Thursday, September 05, 2002 4:48 PM
> To: Ivan Centeno
> Cc: ccielab@groupstudy.com
> Subject: Re[2]: OSPF Virtual Link Authentication
>
>
> On Thursday, September 05, 2002, Ivan Centeno wrote:
>
> I just had a similar scenario last week:
>
> Area 0 was authenticated MD5. Here is the code from the
> listing:
>
> router ospf 10
> router-id 1.1.1.1
> log-adjacency-changes
> area 0 authentication message-digest
> area 126 virtual-link 6.6.6.6 message-digest-key 1 md5 cisco
>
> I remembered reading somewhere that the far-end router is
> logically attached to area 0 through the virtual-link.
>
>
> -----Original Message-----
> IC> Frank,
>
> IC> In my understanding the answer is no. Area 1 is just a
> IC> transit area, the virtual link encapsulates the LSA
> IC> between R2 y R3 ( acting like a real link ). Because
> IC> of that Area 1 not even need to have authentication
> IC> enable.
>
> IC> Ivan
>
> IC> --- frank.yu@japan.bnpparibas.com wrote:
> >>
> >> Paul,
> >>
> >> Correct me if I am wrong. When you config a
> >> diagram as following
> >>
> >>
> >>
> IC> R1------------------------------R2--------------------R3-------------
> >> ospf a0
> >> ospf a1
> >> ospf a2
> >>
> >> R3 should see route in a0 as intra area route
> >> other than inter area
> >> route, so as I understand A0 and A1 should have same
> >> authentication type
> >> either plain text or message digest.
> >>
> >> Frank
> >>
> >>
> >>
> >> Internet
> >> icenteno2001@yahoo.com@groupstudy.com - 09/05/2002
> >> 12:23 PM
> >>
> >>
> >> Please respond to icenteno2001@yahoo.com
> >>
> >> Sent by: nobody@groupstudy.com
> >>
> >> To: paul, ccielab
> >>
> >> cc:
> >>
> >>
> >> Subject: Re: OSPF Virtual Link Authentication
> >>
> >>
> >> Paul,
> >>
> >> I am working in the subject too.
> >> comments in line.
> >>
> >> Ivan
> >> --- Paul Grey <paul@greyboy.org> wrote:
> >> > Could someone please clarify for me the exact
> >> > context that the
> >> > authentication parameters are used in the OSPF
> >> > virtual link command:-
> >> >
> >> > area 1 virtual-link 1.1.1.1 [authentication |
> >> > authentication-key]
> >> >
> >> > I currently have a config with Area 0 using plain
> >> > text authentication
> >> > (password cisco) and Area 1 is using
> >> message-digest
> >> > (sanjose).
> >> >
> >> > I�ve configured a virtual link across Area 1 to a
> >> > router tagged to Area
> >> > 2.
> >> >
> >> > Using:-
> >> >
> >> > Area 0 authentication
> >> > Area 1 virtual-link a.b.c.d
> >> >
> >> > On the Area 2 router my virtual link comes up.
> >> >
> >> > So I�m assuming that the link has come up because
> >> > the default null
> >> > string is being used by the virtual-link for
> >> > authentication. Am I right?
> >>
> >> My guess is yes.
> >> >
> >> > If I am then why use the parameters in the
> >> command.
> >> >
> >> I think that the main reason is backward
> >> compatibility
> >> and the desire of full security in the flooding of
> >> the
> >> LSA.
> >>
> >> From a Cisco Document:
> >>
> >> "Starting in Cisco IOS. 12.0.8, authentication is
> >> supported on a per-interface basis, as mentioned in
> >> RFC 2328,
> >> Appendix D. This feature was added in bug
> >> CSCdk33792.
> >> If you are a registered CCO user and you have logged
> >> in, you
> >> can view the bug details"
> >>
> >> Previous IOS 12.0.8 it was needed define the
> >> configuration of the authentication in the virtual
> >> link. Thats is the reason because I think in
> >> backward
> >> compatibility.
> >>
> >> Any comment would be appreciate.
> >>
> >> > Any takers?
> >> >
> >> > TIA
> >> >
> >> > Paul
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > ________________________________________________
> >> >
> >> > Paul Grey
> >> >
> >> > paul@greyboy.org
> >> >
> >> > This e-mail and any files transmitted with it are
> >> > confidential and
> >> > solely for the use of the intended recipient. If
> >> you
> >> > are not the
> >> > intended recipient or the person responsible for
> >> > delivering it to the
> >> > intended recipient, please be advised that you
> >> have
> >> > received this email
> >> > in error and that any use is strictly prohibited.
> >> > Please notify us by
> >> > replying to this mail and advising accordingly.
> >> > Thank you for your
> >> > co-operation.
> >> >
> >>
> IC> __________________________________________________________________
> >> > To unsubscribe from the CCIELAB list, send a
> >> message
> >> > to
> >> > majordomo@groupstudy.com with the body containing:
> >> > unsubscribe ccielab
> >>
> >>
> >> __________________________________________________
> >> Do You Yahoo!?
> >> Yahoo! Finance - Get real-time stock quotes
> >> http://finance.yahoo.com
> >>
> IC> __________________________________________________________________
> >> To unsubscribe from the CCIELAB list, send a message
> >> to
> >> majordomo@groupstudy.com with the body containing:
> >> unsubscribe ccielab
> >>
> >>
> >>
> >>
> >>
> >> This message and any attachments (the "message") is
> >> intended solely for the addressees and is
> >> confidential.
> >> If you receive this message in error, please delete
> >> it and
> >> immediately notify the sender. Any use not in accord
> >> with
> >> its purpose, any dissemination or disclosure, either
> >> whole
> >> or partial, is prohibited except formal approval.
> >> The internet
> >> can not guarantee the integrity of this message.
> >> BNP PARIBAS (and its subsidiaries) shall (will) not
> >> therefore be liable for the message if modified.
> >>
> >>
> >> ---------------------------------------------
> >>
> >> Ce message et toutes les pieces jointes (ci-apres le
> >>
> >> "message") sont etablis a l'intention exclusive de
> >> ses
> >> destinataires et sont confidentiels. Si vous recevez
> >> ce
> >> message par erreur, merci de le detruire et d'en
> >> avertir
> >> immediatement l'expediteur. Toute utilisation de ce
> >> message non conforme a sa destination, toute
> >> diffusion
> >> ou toute publication, totale ou partielle, est
> >> interdite, sauf
> >> autorisation expresse. L'internet ne permettant pas
> >> d'assurer l'integrite de ce message, BNP PARIBAS (et
> >> ses
> >> filiales) decline(nt) toute responsabilite au titre
> >> de ce
> >> message, dans l'hypothese ou il aurait ete modifie.
> >>
>
>
> IC> __________________________________________________
> IC> Do You Yahoo!?
> IC> Yahoo! Finance - Get real-time stock quotes
> IC> http://finance.yahoo.com
> Thanks
> ----
> syv@911networks.com
This archive was generated by hypermail 2.1.4
: Mon Oct 07 2002 - 07:43:45 GMT-3