RE: Help me pls with OSPF authentication.

From: Brian McGahan (brian@cyscoexpert.com)
Date: Thu Dec 26 2002 - 20:52:45 GMT-3

        Yes. This is considered interface authentication for the
virtual-link. If it was area authentication, it would be the following:

area 0 authentication message-digest
area 4 virtual-link 0.0.0.4 message-digest-key 1 md5 cubbies

HTH

Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com

CyscoExpert Corporation
Internetwork Consulting & Training
Voice: 847.674.3392
Fax: 847.674.2625

> -----Original Message-----
> From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
> Sent: Thursday, December 26, 2002 5:46 PM
> To: Brian McGahan; 'Lysyuk Andrew'
> Cc: ccielab@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
>
> Brian
>
> Just some semantics. Are you calling the following statements from the
> router config interface authentication on the virtual link??
>
> area 4 virtual-link 0.0.0.4 authentication message-digest
> area 4 virtual-link 0.0.0.4 message-digest-key 1 md5 cubbies
>
> Thanks for your help!!
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Brian McGahan
> Sent: Thursday, December 26, 2002 6:06 PM
> To: 'Jerry Haverkos'; 'Lysyuk Andrew'
> Cc: ccielab@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
>
>
> Jerry,
>
> There are two types of authentication in OSPF, area and
> interface. If area authentication is enabled, all interfaces which
have
> adjacencies on them must authenticate. A virtual-link *is* an area 0
> interface, therefore if you have a virtual-link, and are
authenticating
> area 0, you must authenticate the virtual-link.
>
> Interface authentication is independent of area authentication,
> and interface authentication overrides area authentication. This
means
> that you could be using clear-text authentication throughout and area,
> and implement md5 authentication on a particular link within that
area.
> In the case that you have presented, interface authentication is
enabled
> on the virtual-link. This is a perfectly valid configuration.
>
> If in your example you had said 'area 0 authentication', the
> remote router where the virtual-link terminates would also have to say
> 'area 0 authentication'. It is not completely necessary that you
> configure a key on the interface (or virtual-link in this case). OSPF
> authentication uses a "null" key by default. Practically, security
> through obscurity is not a very safe practice, therefore you should
> configure a key on each interface which is authenticating.
>
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Voice: 847.674.3392
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Jerry Haverkos
> > Sent: Thursday, December 26, 2002 2:42 PM
> > To: 'Lysyuk Andrew'
> > Cc: ccielab@groupstudy.com
> > Subject: RE: Help me pls with OSPF authentication.
> >
> > Lysuk
> >
> > I am on IOS 12.1.13 and my configs show no correlation between
> > authentication of area 0 and authentication on the virtual link. The
> > following are excerpts from my configs on the router that houses
area
> 0
> > and
> > participates as part of the virtual link in my network. They show
that
> > there
> > is no correlation in my network.
> >
> > 3640-1_R1#sho ip ospf virtual-links
> > Virtual Link OSPF_VL0 to router 0.0.0.4 is up
> > Run as demand circuit
> > DoNotAge LSA allowed.
> > Transit area 4, via interface Serial1/0.4, Cost of using 781
> > Transmit Delay is 1 sec, State POINT_TO_POINT,
> > Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit
5
> > Hello due in 00:00:05
> > Adjacency State FULL (Hello suppressed)
> > Index 1/4, retransmission queue length 0, number of
retransmission
> 1
> > First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> > Last retransmission scan length is 1, maximum is 1
> > Last retransmission scan time is 0 msec, maximum is 0 msec
> > Message digest authentication enabled
> > Youngest key id is 1
> >
> >
> > Note -- on the router there is only one interface in area 0 and it
> does
> > not
> > specify authentication
> >
> > 3640-1_R1#
> > router ospf 100
> > router-id 0.0.0.1
> > log-adjacency-changes
> > no discard-route internal
> > area 0 range 149.1.254.0 255.255.255.0
> > area 0 range 149.1.0.0 255.255.0.0
> > area 1 range 149.1.1.0 255.255.255.0
> > area 2 authentication message-digest
> > area 2 stub no-summary
> > area 2 range 149.1.2.0 255.255.255.0
> > area 4 range 149.1.4.0 255.255.255.0
> > area 4 virtual-link 0.0.0.4 authentication message-digest
> > area 4 virtual-link 0.0.0.4 message-digest-key 1 md5 cubbies
> > area 5 authentication message-digest
> > area 5 nssa no-summary
> > area 5 range 149.1.5.0 255.255.255.0
> > summary-address 17.0.0.0 255.0.0.0 not-advertise
> > network 149.1.1.0 0.0.0.255 area 1
> > network 149.1.2.0 0.0.0.255 area 2
> > network 149.1.4.0 0.0.0.255 area 4
> > network 149.1.5.0 0.0.0.255 area 5
> > network 149.1.254.254 0.0.0.0 area 0
> > neighbor 149.1.2.254
> > neighbor 149.1.4.254
> > neighbor 149.1.5.254
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
> > Justin Menga
> > Sent: Thursday, December 26, 2002 1:11 AM
> > To: Jude Servi; 'Robert Slaski'; 'Manish Gupta'
> > Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
> > Subject: RE: Help me pls with OSPF authentication.
> >
> >
> > Also, if you enable authentication for a virtual link, you must also
> > ensure
> > area 0 has authentication enabled:
> >
> > router ospf 1
> > area 0 authentication
> > area 1 virtual-link .....
> >
> > Regards,
> > Justin
> >
> > -----Original Message-----
> > From: Jude Servi [mailto:jservi@cisco.com]
> > Sent: Wednesday, December 25, 2002 12:36 PM
> > To: 'Robert Slaski'; 'Manish Gupta'
> > Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
> > Subject: RE: Help me pls with OSPF authentication.
> >
> >
> > Don't forget to add authentication to a virtual link if needed.
> Example
> > for
> > md5 auth:
> >
> > router ospf 1
> > area # virtual-link <neighbor ip addr> authentication
message-digest
> > message-digest-key # <key>
> >
> > Jude
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Robert Slaski
> > Sent: Saturday, December 21, 2002 11:16 AM
> > To: Manish Gupta
> > Cc: Lysyuk Andrew; ccielab@groupstudy.com
> > Subject: Re: Help me pls with OSPF authentication.
> >
> >
> > Manish Gupta wrote:
> > > I always prefer
> > >
> > > Under router ospf x
> > > area x authentication (plain or MD5)
> > >
> > > Under interface:
> > > ip opsf authetication <password> if plain
> >
> > You meant 'ip ospf authentication-key' I think, but this does not
> answer
> >
> > the Andrew's question.
> >
> > There are two authentication types available in OSPF: per area and
per
> > interface, if both are configured then per interface authentication
> > takes precedence. Both have plain-text and MD5 checksum variants.
> >
> > Per area:
> > 1. enable area authentication
> > (config-router)# area <area> authentication [message-digest]
> > 2. setup keys (this should be done on each area interface)
> > (config-if)# ip ospf authentication-key <text> # for plain text
> > or
> > (config-if)# ip ospf message-digest-key <key_id> md5 0 <text> # for
> MD5
> >
> > Per interface:
> > 1. enable interface authentication
> > (config-if)# ip ospf authentication [message-digest | null]
> > 2. setup keys (same as above)
> >
> > mikrobi,
> > --
> > .
> > .
> .
.

This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:53 GMT-3