RE: Using Key chains

From: Packet Man (ccie2b@hotmail.com)
Date: Fri Jan 30 2004 - 13:18:44 GMT-3

• Next message: Nick Guy: "RE: Documentation CD"
• Previous message: Packet Man: "RE: Using Key chains"
• Maybe in reply to: Packet Man: "Using Key chains"
• Next in thread: kasturi cisco: "RE: Using Key chains"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Brian,

Thanks so much. That really cleared up my confusion and answered my
questions. I appreciate it.

If you don't mind I have one other question on this issue re: RIPv2 and
Eigrp passwords

Is there a way to assign a unique password to each PVC (DLCI) on a point to
multipoint interface?

I suspect that I'm restricted to assigning passwords on the physical
interface or the sub-interface. Is that correct?

Thanks again.

>From: "Brian Dennis" <bdennis@internetworkexpert.com>
>To: "'Packet Man'" <ccie2b@hotmail.com>,<ccielab@groupstudy.com>
>Subject: RE: Using Key chains
>Date: Fri, 30 Jan 2004 07:52:16 -0800
>
>RIP (plain text and MD5):
>key chain <key chain name> <-- DOES NOT need to match
> key <key ID> <-- DOES NOT need to match but needs to be active*
> key-string <key string> <-- DOES need to match
>
>Note that although the key ID (key number) is exchanged in the RIPv2
>messages for MD5 authentication, a router will accept a message with a
>different key ID as long as the key string matches and the key is within
>its
>accept-lifetime.
>
>EIGRP:
>key chain <key chain name> <-- DOES NOT need to match
> key <key ID> <-- DOES need to match and be active*
> key-string <key string> <-- DOES need to match
>
>* This is in reference to the accept-lifetime for the particular key.
>
>Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>bdennis@internetworkexpert.com
>Internetwork Expert, Inc.
>http://www.InternetworkExpert.com
>Toll Free: 877-224-8987
>Direct: 775-745-6404 (Outside the US and Canada)
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Packet Man
>Sent: Thursday, January 29, 2004 7:20 PM
>To: kasturi_cisco@hotmail.com; ccielab@groupstudy.com
>Subject: RE: Using Key chains
>
>Hi,
>
>Thanks for getting back to me.
>
>If I understand you correctly then using multiple keys on a key chain is
>only for the situation of migrating from one key to another. Is that
>correct?
>
>The reason I ask is because the scenario I was thinking about is this:
>
>Assume you have a hub router with p2p connections to 5 spoke stub routers
>and you have to use a different password on each link. Therefore, to
>fulfill this requirement, the hub router has to have 5 different keys but
>the spoke routers only need one key.
>
>According to what you're saying, I would have to configure 5 different KEY
>CHAINS each with one key instead of configuring 1 KEY CHAIN with 5
>different
>
>keys. Is that correct?
>
>Thanks in advanced
>
>
>
>
> >From: "kasturi cisco" <kasturi_cisco@hotmail.com>
> >To: ccie2b@hotmail.com, ccielab@groupstudy.com
> >Subject: RE: Using Key chains
> >Date: Fri, 30 Jan 2004 02:58:31 +0000
> >
>
>_________________________________________________________________
>There are now three new levels of MSN Hotmail Extra Storage! Learn more.
>http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1
>Received: from 68.60.173.143 by lw10fd.law10.hotmail.msn.com with HTTP;
> Fri, 30 Jan 2004 02:58:31 GMT
>X-Originating-IP: [68.60.173.143]
>X-Originating-Email: [kasturi_cisco@hotmail.com]
>X-Sender: kasturi_cisco@hotmail.com
>From: "kasturi cisco" <kasturi_cisco@hotmail.com>
>To: ccie2b@hotmail.com, ccielab@groupstudy.com
>Subject: RE: Using Key chains
>Date: Fri, 30 Jan 2004 02:58:31 +0000
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>X-Converted-To-Plain-Text: from text/html by GroupStudy
>
>Hi,
>
>I think it works as follows:
>
>Multiple keys are used for roll over so that if first key is invalid with
>time (defined by accept and send-lifetime) then the second key in list
>going to be used.
>
>The routing protcols have the interface associated with the key-chain
>only with both RIP and EIGRP. The key-id is locally significant but the
>routing protocol uses or starts the auth process with the loewst key # or
>key id. Then based on this it uses the corresponding key-string to
>authenticate. The key-strings should match for successful authentication.
>
>So when u have a key chain with keys like u have defined what would
>happen is key 1 will be used at both ends and assuming both are valid the
>key-strings configured would be sent/expected from other end. Since they
>dont match it will fail.
>
>Good Luck,
>Kasturi.
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>

• Next message: Nick Guy: "RE: Documentation CD"
• Previous message: Packet Man: "RE: Using Key chains"
• Maybe in reply to: Packet Man: "Using Key chains"
• Next in thread: kasturi cisco: "RE: Using Key chains"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:52 GMT-3