RE: Using Key chains

From: Dmitry Volkov (dmitry.volkov@rogers.com)
Date: Sat Jan 31 2004 - 15:10:58 GMT-3

• Next message: Richard Davidson: "Re: atm svc with no ilmi (oops, forgot something)"
• Previous message: Tony Schaffran: "RE: CBR and VBR-RT"
• Maybe in reply to: Packet Man: "Using Key chains"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Brian, Do You have any explanation why for RIP Key IDs don't have to match
and fior eigrp do have to match ?
Or it's just by design ?
Do You have any reference on this info or it was test obsevation ?

Thanks,
Dmitry

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
> Behalf Of Brian Dennis
> Sent: Friday, January 30, 2004 10:52 AM
> To: 'Packet Man'; ccielab@groupstudy.com
> Subject: RE: Using Key chains
>
>
> RIP (plain text and MD5):
> key chain <key chain name> <-- DOES NOT need to match
> key <key ID> <-- DOES NOT need to match but needs to be active*
> key-string <key string> <-- DOES need to match
>
> Note that although the key ID (key number) is exchanged in the RIPv2
> messages for MD5 authentication, a router will accept a message with a
> different key ID as long as the key string matches and the
> key is within its
> accept-lifetime.
>
> EIGRP:
> key chain <key chain name> <-- DOES NOT need to match
> key <key ID> <-- DOES need to match and be active*
> key-string <key string> <-- DOES need to match
>
> * This is in reference to the accept-lifetime for the particular key.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> Packet Man
> Sent: Thursday, January 29, 2004 7:20 PM
> To: kasturi_cisco@hotmail.com; ccielab@groupstudy.com
> Subject: RE: Using Key chains
>
> Hi,
>
> Thanks for getting back to me.
>
> If I understand you correctly then using multiple keys on a
> key chain is
> only for the situation of migrating from one key to another. Is that
> correct?
>
> The reason I ask is because the scenario I was thinking about is this:
>
> Assume you have a hub router with p2p connections to 5 spoke
> stub routers
> and you have to use a different password on each link. Therefore, to
> fulfill this requirement, the hub router has to have 5
> different keys but
> the spoke routers only need one key.
>
> According to what you're saying, I would have to configure 5
> different KEY
> CHAINS each with one key instead of configuring 1 KEY CHAIN
> with 5 different
>
> keys. Is that correct?
>
> Thanks in advanced
>
>
>
>
> >From: "kasturi cisco" <kasturi_cisco@hotmail.com>
> >To: ccie2b@hotmail.com, ccielab@groupstudy.com
> >Subject: RE: Using Key chains
> >Date: Fri, 30 Jan 2004 02:58:31 +0000
> >
>
> _________________________________________________________________
> There are now three new levels of MSN Hotmail Extra Storage!
> Learn more.
> http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1
> Received: from 68.60.173.143 by lw10fd.law10.hotmail.msn.com
> with HTTP;
> Fri, 30 Jan 2004 02:58:31 GMT
> X-Originating-IP: [68.60.173.143]
> X-Originating-Email: [kasturi_cisco@hotmail.com]
> X-Sender: kasturi_cisco@hotmail.com
> From: "kasturi cisco" <kasturi_cisco@hotmail.com>
> To: ccie2b@hotmail.com, ccielab@groupstudy.com
> Subject: RE: Using Key chains
> Date: Fri, 30 Jan 2004 02:58:31 +0000
> Mime-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> X-Converted-To-Plain-Text: from text/html by GroupStudy
>
> Hi,
>
> I think it works as follows:
>
> Multiple keys are used for roll over so that if first key is
> invalid with
> time (defined by accept and send-lifetime) then the second key in list
> going to be used.
>
> The routing protcols have the interface associated with the key-chain
> only with both RIP and EIGRP. The key-id is locally
> significant but the
> routing protocol uses or starts the auth process with the
> loewst key # or
> key id. Then based on this it uses the corresponding key-string to
> authenticate. The key-strings should match for successful
> authentication.
>
> So when u have a key chain with keys like u have defined what would
> happen is key 1 will be used at both ends and assuming both
> are valid the
> key-strings configured would be sent/expected from other end.
> Since they
> dont match it will fail.
>
> Good Luck,
> Kasturi.
>
> ______________________________________________________________
> _________
> Please help support GroupStudy by purchasing your study
> materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________
> _________
> Please help support GroupStudy by purchasing your study
> materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Richard Davidson: "Re: atm svc with no ilmi (oops, forgot something)"
• Previous message: Tony Schaffran: "RE: CBR and VBR-RT"
• Maybe in reply to: Packet Man: "Using Key chains"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:52 GMT-3