From: Kenneth Wygand (KWygand@customonline.com)
Date: Wed Mar 17 2004 - 21:42:03 GMT-3
Danny,
I don't think everything you said is correct, although I'm not sure if I am 100% either. Please see my comments inline with your text below.
Here's how I think Virtual-link authentication works. I know this has been
discussed at great length on this board, but I think I have it down now and
want to double check.
Area5-----R1----area20-------R2------Area0-------R3------Area0-----R4------a
rea14
Area 0 is being authenticated using MD5. On R2, R3 and R4 I have
configured:
Area 0 authentication message-digest
First, you have to include "area 0 authentication message-digest" on all routers connected to Area 0, including the far end router on the virtual link, or your virtual link will not work.
Depending on the requirement, I can configure authentication on the link
between R3 and R2 and not configure authentication between R3 and R4.
First you mentioned Area authentication, and then you mentioned link authentication (I think). Link authentication takes precedence over Area authentication when both are configured. Remember, this is authentication TYPE, not PASSWORDS. So if you enable "Area 0 authentication message-digest" on all four routers (R1, R2, R3 and R4, because they each have a connection to Area 0), and then you enable "ip ospf authentication" on the link between R3 and R2 (plain text implied because I didn't include the 'message-digest' attribute), all interfaces in Area 0 will run MD5 authentication while the link between R3 and R2 will run plain text authentication. The same holds true if you configure "ip ospf authentication null" on the interface as well, because it is an authentication type and will override the Area authentication. However if you don't type any link authentication commands, any links in Area 0 will use the area authentication configured.
As
long as both sides have the same authentication configured (or not
configured), it will work.
When you say "not configured", what do you mean? Configuring link authentication to be "null" is different than not typing any link authentication configuration commands, as explained in the previous paragraph.
Also, even though R4 does not have
authentication configured on its only area 0 link, I still need to have
"area 0 authentication message-digest" configured under router OSPF (I'd
like to get an explanation for this. I think if you don't do it, you get
mismatched authentication type errors, but why?).
If you have "Area 0 authentication message-digest" on R3, any links that are part of Area 0 that do not EXPLICITLY have link authentication configured on them will use the Area authentication method configured. In this case, R3's link to R4 will be running message-digest authentication due to the Area 0 authentication. If you do not configure MD5 authentication (either link or area) on R4, then R4's link to R3 will try to run NO authentication, resulting in the mismatch you see. When you enable "area 0 authentication message-digest" or "ip ospf authentication message-digest" on R4's link to R3, the mismatched authentication type error will go away because both sides will now be running md5 authentication.
As far as the V-link goes, I only need to have "area 0 authentication
message-digest" configured on R1. I see this V-link as I see the two links
on R3 to R2 and R4. It can either have authentication configured or not; as
long as both ends match. As far as the V-link goes, as long as both ends
have the same config, it should work.
Authentication in OSPF is hierarchical, but each link can only use one type of authentication. The way the authentication is selected on a particular link is 1) if link authentication is configured, use that method of authentication ('null' authentication configured at the link level will run as no authentication, 2) if link authentication is not configured and Area authentication is configured for the area that interface is assigned to, use that method of authentication, and 3) if neither of these methods of authentication are configured, do not use any authentication.
As long as two sides of a link are using the same type of authentication (none, plain text or MD5), it doesn't matter how it was assigned that way (area or link). Like you said, "as long as both ends match".
I can see someone relating this to the way GPO's are applied to Windows 2K/2K3... first apply domain level policies, then site, then blah blah blah, then local, etc., where the last policy applied supercedes previously applied policies... Area authentication is applied first, which is then overrided by link authentication (when configured).
I think this is it. If not, please be gentle....
Does this help? I hope it helps someone... :)
Ken
This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:33 GMT-3