From: Vijay S Jayaraman (vjayaram@in.ibm.com)
Date: Fri Dec 27 2002 - 03:51:19 GMT-3
Hi,
what I meant was.....area 0 is using authentication....and I configure this
on the router thats directly connected to area 0........
and I configure the virtual links also with authentication using area 1
virtual-link XXXX authentication..blah blah on both the routers terminating
the virtual link....
But on the router at the other end of the virtual link, I do not configure
the statement "area 0 authentication"
and this still seems to work....
I am using 12.5T12 ip plus on a 2600........possibly this is a version
dependent behaviour....
Regards,
Vijay.
"OhioHondo"
<ohiohondo@columb To: Vijay S Jayaraman/India/IBM@IBMIN, "Brian McGahan" <brian@cyscoexpert.com>
us.rr.com> cc: <ccielab@groupstudy.com>, "'Lysyuk Andrew'" <lysyuk@ics.ua>,
Sent by: <nobody@groupstudy.com>
nobody@groupstudy Subject: RE: Help me pls with OSPF authentication.
.com
12/27/2002 11:48
AM
Please respond to
"OhioHondo"
Vijay
I believe these are the points -
A virtual link to a router may or may not use authentication if area 0 in
that router does not use authentication. It's your choice.
If area 0 in a router uses authentication, all virtual links to that router
MUST use authentication. There is no choice
-----Original Message-----
From: Vijay S Jayaraman [mailto:vjayaram@in.ibm.com]
Sent: Friday, December 27, 2002 12:31 AM
To: Brian McGahan
Cc: ccielab@groupstudy.com; 'Jerry Haverkos'; 'Lysyuk Andrew';
nobody@groupstudy.com
Subject: RE: Help me pls with OSPF authentication.
Importance: High
I dont know if you really need to say "area 0 authentication" on a router
on the other end of the virtual link, although all the tech notes say you
need to .......
'cos I have tried it without this statement and this seems to work......
Though I dont take chances on a real lab and put this statement.....
Regards,
Vijay.
"Brian McGahan"
<brian@cyscoexper To: "'Jerry Haverkos'"
<jhaverkos@columbus.rr.com>, "'Lysyuk Andrew'"
t.com> <lysyuk@ics.ua>
Sent by: cc:
<ccielab@groupstudy.com>
nobody@groupstudy Subject: RE: Help me pls
with OSPF authentication.
.com
12/27/2002 04:36
AM
Please respond to
"Brian McGahan"
Jerry,
There are two types of authentication in OSPF, area and
interface. If area authentication is enabled, all interfaces which have
adjacencies on them must authenticate. A virtual-link *is* an area 0
interface, therefore if you have a virtual-link, and are authenticating
area 0, you must authenticate the virtual-link.
Interface authentication is independent of area
authentication,
and interface authentication overrides area authentication. This means
that you could be using clear-text authentication throughout and area,
and implement md5 authentication on a particular link within that area.
In the case that you have presented, interface authentication is enabled
on the virtual-link. This is a perfectly valid configuration.
If in your example you had said 'area 0 authentication', the
remote router where the virtual-link terminates would also have to say
'area 0 authentication'. It is not completely necessary that you
configure a key on the interface (or virtual-link in this case). OSPF
authentication uses a "null" key by default. Practically, security
through obscurity is not a very safe practice, therefore you should
configure a key on each interface which is authenticating.
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Voice: 847.674.3392
Fax: 847.674.2625
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Jerry Haverkos
> Sent: Thursday, December 26, 2002 2:42 PM
> To: 'Lysyuk Andrew'
> Cc: ccielab@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
>
> Lysuk
>
> I am on IOS 12.1.13 and my configs show no correlation between
> authentication of area 0 and authentication on the virtual link. The
> following are excerpts from my configs on the router that houses area
0
> and
> participates as part of the virtual link in my network. They show that
> there
> is no correlation in my network.
>
> 3640-1_R1#sho ip ospf virtual-links
> Virtual Link OSPF_VL0 to router 0.0.0.4 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 4, via interface Serial1/0.4, Cost of using 781
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:05
> Adjacency State FULL (Hello suppressed)
> Index 1/4, retransmission queue length 0, number of retransmission
1
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 0 msec, maximum is 0 msec
> Message digest authentication enabled
> Youngest key id is 1
>
>
> Note -- on the router there is only one interface in area 0 and it
does
> not
> specify authentication
>
> 3640-1_R1#
> router ospf 100
> router-id 0.0.0.1
> log-adjacency-changes
> no discard-route internal
> area 0 range 149.1.254.0 255.255.255.0
> area 0 range 149.1.0.0 255.255.0.0
> area 1 range 149.1.1.0 255.255.255.0
> area 2 authentication message-digest
> area 2 stub no-summary
> area 2 range 149.1.2.0 255.255.255.0
> area 4 range 149.1.4.0 255.255.255.0
> area 4 virtual-link 0.0.0.4 authentication message-digest
> area 4 virtual-link 0.0.0.4 message-digest-key 1 md5 cubbies
> area 5 authentication message-digest
> area 5 nssa no-summary
> area 5 range 149.1.5.0 255.255.255.0
> summary-address 17.0.0.0 255.0.0.0 not-advertise
> network 149.1.1.0 0.0.0.255 area 1
> network 149.1.2.0 0.0.0.255 area 2
> network 149.1.4.0 0.0.0.255 area 4
> network 149.1.5.0 0.0.0.255 area 5
> network 149.1.254.254 0.0.0.0 area 0
> neighbor 149.1.2.254
> neighbor 149.1.4.254
> neighbor 149.1.5.254
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Justin Menga
> Sent: Thursday, December 26, 2002 1:11 AM
> To: Jude Servi; 'Robert Slaski'; 'Manish Gupta'
> Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
>
>
> Also, if you enable authentication for a virtual link, you must also
> ensure
> area 0 has authentication enabled:
>
> router ospf 1
> area 0 authentication
> area 1 virtual-link .....
>
> Regards,
> Justin
>
> -----Original Message-----
> From: Jude Servi [mailto:jservi@cisco.com]
> Sent: Wednesday, December 25, 2002 12:36 PM
> To: 'Robert Slaski'; 'Manish Gupta'
> Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
>
>
> Don't forget to add authentication to a virtual link if needed.
Example
> for
> md5 auth:
>
> router ospf 1
> area # virtual-link <neighbor ip addr> authentication message-digest
> message-digest-key # <key>
>
> Jude
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Robert Slaski
> Sent: Saturday, December 21, 2002 11:16 AM
> To: Manish Gupta
> Cc: Lysyuk Andrew; ccielab@groupstudy.com
> Subject: Re: Help me pls with OSPF authentication.
>
>
> Manish Gupta wrote:
> > I always prefer
> >
> > Under router ospf x
> > area x authentication (plain or MD5)
> >
> > Under interface:
> > ip opsf authetication <password> if plain
>
> You meant 'ip ospf authentication-key' I think, but this does not
answer
>
> the Andrew's question.
>
> There are two authentication types available in OSPF: per area and per
> interface, if both are configured then per interface authentication
> takes precedence. Both have plain-text and MD5 checksum variants.
>
> Per area:
> 1. enable area authentication
> (config-router)# area <area> authentication [message-digest]
> 2. setup keys (this should be done on each area interface)
> (config-if)# ip ospf authentication-key <text> # for plain
text
> or
> (config-if)# ip ospf message-digest-key <key_id> md5 0 <text> # for
MD5
>
> Per interface:
> 1. enable interface authentication
> (config-if)# ip ospf authentication [message-digest | null]
> 2. setup keys (same as above)
>
> mikrobi,
> --
> .
> .
.
.
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:53 GMT-3