Re: Re[2]: OSPF Virtual Link Authentication

From: Tim Ross (ross2k@pclv.com)
Date: Fri Sep 06 2002 - 22:54:39 GMT-3

• Next message: SRINIVAS TENNETI: "NTP authenctiaon using text password"
• Previous message: Brent Stewart: "RE: ATM Switch Advice Sought"
• Maybe in reply to: syv: "Re[2]: OSPF Virtual Link Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You are correct about the Area 0 authentication not being required. The more
recent commands also allow entering all the required commands on one line "
area 1 virtual-link 200.150.150.5 authentication message-digest
message-digest-key 2 md5 area2key" and it will then show the output as two
separate lines as shown in your output. Maybe Cisco was trying to save us
some time in the lab exam <joke>. Similar ospf authentication commands can
be selectively entered on specific interfaces needed.

Tim

----- Original Message -----
From: "Jim Brown" <Jim.Brown@caselogic.com>
To: "'Jay'" <ccienxtyear@hotmail.com>; "Jim Brown"
<Jim.Brown@caselogic.com>; "'syv'" <syv@911networks.com>; "Ivan Centeno"
<icenteno2001@yahoo.com>
Cc: <ccielab@groupstudy.com>
Sent: Friday, September 06, 2002 5:58 PM
Subject: RE: Re[2]: OSPF Virtual Link Authentication

> Dig a little deeper. You can enable authentication over a virtual link
> without enabling area 0 authentication.
>
> Per Interface Authentication.
>
> Take a look at this. No area 0 authentication command?
>
> router ospf 64
> log-adjacency-changes
> area 1 virtual-link 200.150.150.5 authentication message-digest
> area 1 virtual-link 200.150.150.5 message-digest-key 2 md5 area2key
> area 2 range 150.10.20.0 255.255.255.0
> summary-address 150.10.30.0 255.255.255.0
> redistribute connected subnets route-map ospfintadd
> network 150.10.3.0 0.0.0.255 area 1
> network 150.10.10.0 0.0.0.15 area 1
> network 150.10.20.0 0.0.0.127 area 2
>
>
> r3#show ip ospf vir
> Virtual Link OSPF_VL0 to router 200.150.150.5 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 1, via interface Serial0, Cost of using 64
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:01
> Adjacency State FULL (Hello suppressed)
> Index 1/3, retransmission queue length 0, number of retransmission 1
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 4 msec, maximum is 4 msec
> Message digest authentication enabled
> Youngest key id is 2
> r3#
>
> -----Original Message-----
> From: Jay [mailto:ccienxtyear@hotmail.com]
> Sent: Friday, September 06, 2002 2:29 PM
> To: Jim Brown; 'syv'; Ivan Centeno
> Cc: ccielab@groupstudy.com
> Subject: Re: Re[2]: OSPF Virtual Link Authentication
>
>
> Hi,
>
> Virtual link is part of area 0. If you enable authentication in area 0,
then
> you need to setup authentication on the virtual link, or vice versa:
>
> area 0 authentication message-digest
> area 126 virtual-link 6.6.6.6 message-digest-key 1 md5 cisco
>
> Or if you do not require authentication on the Virtual link, just type
>
> area 126 virtual-link 6.6.6.6 authentication null
>
> thanks,
> Jay
>
>
>
>
>
> ----- Original Message -----
> From: "Jim Brown" <Jim.Brown@caselogic.com>
> To: "'syv'" <syv@911networks.com>; "Ivan Centeno" <icenteno2001@yahoo.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Thursday, September 05, 2002 3:55 PM
> Subject: RE: Re[2]: OSPF Virtual Link Authentication
>
>
> > I think you can enable per interface authentication with virtual links
> > without enabling authentication in area 0.
> >
> > I pretty sure on this, but I don't want to state it as fact since I've
> > already been wrong on one post this week.
> >
> >
> >
> > -----Original Message-----
> > From: syv [mailto:syv@911networks.com]
> > Sent: Thursday, September 05, 2002 4:48 PM
> > To: Ivan Centeno
> > Cc: ccielab@groupstudy.com
> > Subject: Re[2]: OSPF Virtual Link Authentication
> >
> >
> > On Thursday, September 05, 2002, Ivan Centeno wrote:
> >
> > I just had a similar scenario last week:
> >
> > Area 0 was authenticated MD5. Here is the code from the
> > listing:
> >
> > router ospf 10
> > router-id 1.1.1.1
> > log-adjacency-changes
> > area 0 authentication message-digest
> > area 126 virtual-link 6.6.6.6 message-digest-key 1 md5 cisco
> >
> > I remembered reading somewhere that the far-end router is
> > logically attached to area 0 through the virtual-link.
> >
> >
> > -----Original Message-----
> > IC> Frank,
> >
> > IC> In my understanding the answer is no. Area 1 is just a
> > IC> transit area, the virtual link encapsulates the LSA
> > IC> between R2 y R3 ( acting like a real link ). Because
> > IC> of that Area 1 not even need to have authentication
> > IC> enable.
> >
> > IC> Ivan
> >
> > IC> --- frank.yu@japan.bnpparibas.com wrote:
> > >>
> > >> Paul,
> > >>
> > >> Correct me if I am wrong. When you config a
> > >> diagram as following
> > >>
> > >>
> > >>
> > IC>
R1------------------------------R2--------------------R3-------------
> > >> ospf a0
> > >> ospf a1
> > >> ospf a2
> > >>
> > >> R3 should see route in a0 as intra area route
> > >> other than inter area
> > >> route, so as I understand A0 and A1 should have same
> > >> authentication type
> > >> either plain text or message digest.
> > >>
> > >> Frank
> > >>
> > >>
> > >>
> > >> Internet
> > >> icenteno2001@yahoo.com@groupstudy.com - 09/05/2002
> > >> 12:23 PM
> > >>
> > >>
> > >> Please respond to icenteno2001@yahoo.com
> > >>
> > >> Sent by: nobody@groupstudy.com
> > >>
> > >> To: paul, ccielab
> > >>
> > >> cc:
> > >>
> > >>
> > >> Subject: Re: OSPF Virtual Link Authentication
> > >>
> > >>
> > >> Paul,
> > >>
> > >> I am working in the subject too.
> > >> comments in line.
> > >>
> > >> Ivan
> > >> --- Paul Grey <paul@greyboy.org> wrote:
> > >> > Could someone please clarify for me the exact
> > >> > context that the
> > >> > authentication parameters are used in the OSPF
> > >> > virtual link command:-
> > >> >
> > >> > area 1 virtual-link 1.1.1.1 [authentication |
> > >> > authentication-key]
> > >> >
> > >> > I currently have a config with Area 0 using plain
> > >> > text authentication
> > >> > (password cisco) and Area 1 is using
> > >> message-digest
> > >> > (sanjose).
> > >> >
> > >> > Ive configured a virtual link across Area 1 to a
> > >> > router tagged to Area
> > >> > 2.
> > >> >
> > >> > Using:-
> > >> >
> > >> > Area 0 authentication
> > >> > Area 1 virtual-link a.b.c.d
> > >> >
> > >> > On the Area 2 router my virtual link comes up.
> > >> >
> > >> > So Im assuming that the link has come up because
> > >> > the default null
> > >> > string is being used by the virtual-link for
> > >> > authentication. Am I right?
> > >>
> > >> My guess is yes.
> > >> >
> > >> > If I am then why use the parameters in the
> > >> command.
> > >> >
> > >> I think that the main reason is backward
> > >> compatibility
> > >> and the desire of full security in the flooding of
> > >> the
> > >> LSA.
> > >>
> > >> From a Cisco Document:
> > >>
> > >> "Starting in Cisco IOS. 12.0.8, authentication is
> > >> supported on a per-interface basis, as mentioned in
> > >> RFC 2328,
> > >> Appendix D. This feature was added in bug
> > >> CSCdk33792.
> > >> If you are a registered CCO user and you have logged
> > >> in, you
> > >> can view the bug details"
> > >>
> > >> Previous IOS 12.0.8 it was needed define the
> > >> configuration of the authentication in the virtual
> > >> link. Thats is the reason because I think in
> > >> backward
> > >> compatibility.
> > >>
> > >> Any comment would be appreciate.
> > >>
> > >> > Any takers?
> > >> >
> > >> > TIA
> > >> >
> > >> > Paul
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > ________________________________________________
> > >> >
> > >> > Paul Grey
> > >> >
> > >> > paul@greyboy.org
> > >> >
> > >> > This e-mail and any files transmitted with it are
> > >> > confidential and
> > >> > solely for the use of the intended recipient. If
> > >> you
> > >> > are not the
> > >> > intended recipient or the person responsible for
> > >> > delivering it to the
> > >> > intended recipient, please be advised that you
> > >> have
> > >> > received this email
> > >> > in error and that any use is strictly prohibited.
> > >> > Please notify us by
> > >> > replying to this mail and advising accordingly.
> > >> > Thank you for your
> > >> > co-operation.
> > >> >
> > >>
> > IC> __________________________________________________________________
> > >> > To unsubscribe from the CCIELAB list, send a
> > >> message
> > >> > to
> > >> > majordomo@groupstudy.com with the body containing:
> > >> > unsubscribe ccielab
> > >>
> > >>
> > >> __________________________________________________
> > >> Do You Yahoo!?
> > >> Yahoo! Finance - Get real-time stock quotes
> > >> http://finance.yahoo.com
> > >>
> > IC> __________________________________________________________________
> > >> To unsubscribe from the CCIELAB list, send a message
> > >> to
> > >> majordomo@groupstudy.com with the body containing:
> > >> unsubscribe ccielab
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> This message and any attachments (the "message") is
> > >> intended solely for the addressees and is
> > >> confidential.
> > >> If you receive this message in error, please delete
> > >> it and
> > >> immediately notify the sender. Any use not in accord
> > >> with
> > >> its purpose, any dissemination or disclosure, either
> > >> whole
> > >> or partial, is prohibited except formal approval.
> > >> The internet
> > >> can not guarantee the integrity of this message.
> > >> BNP PARIBAS (and its subsidiaries) shall (will) not
> > >> therefore be liable for the message if modified.
> > >>
> > >>
> > >> ---------------------------------------------
> > >>
> > >> Ce message et toutes les pieces jointes (ci-apres le
> > >>
> > >> "message") sont etablis a l'intention exclusive de
> > >> ses
> > >> destinataires et sont confidentiels. Si vous recevez
> > >> ce
> > >> message par erreur, merci de le detruire et d'en
> > >> avertir
> > >> immediatement l'expediteur. Toute utilisation de ce
> > >> message non conforme a sa destination, toute
> > >> diffusion
> > >> ou toute publication, totale ou partielle, est
> > >> interdite, sauf
> > >> autorisation expresse. L'internet ne permettant pas
> > >> d'assurer l'integrite de ce message, BNP PARIBAS (et
> > >> ses
> > >> filiales) decline(nt) toute responsabilite au titre
> > >> de ce
> > >> message, dans l'hypothese ou il aurait ete modifie.
> > >>
> >
> >
> > IC> __________________________________________________
> > IC> Do You Yahoo!?
> > IC> Yahoo! Finance - Get real-time stock quotes
> > IC> http://finance.yahoo.com
> > Thanks
> > ----
> > syv@911networks.com

• Next message: SRINIVAS TENNETI: "NTP authenctiaon using text password"
• Previous message: Brent Stewart: "RE: ATM Switch Advice Sought"
• Maybe in reply to: syv: "Re[2]: OSPF Virtual Link Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:46 GMT-3