RE: What I understand about Virtual-link Authentication and

From: John Matijevic (matijevi@bellsouth.net)
Date: Thu Mar 18 2004 - 10:37:32 GMT-3

Hello Danny,
No offense taken,
I ran test myself, here are the results:
R1-->r3 area 0, r3-->r4 area 34, r4 lo0 is in area 44.
Here are relevant config for R3:
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 area 34 virtual-link 30.1.1.2
 network 30.1.1.0 0.0.0.255 area 34
 network 172.16.200.0 0.0.0.255 area 0
So I used the second method and lets see what happens:

Sh ip ospf virtual-link
R3#sh ip ospf virtual-link
Virtual Link OSPF_VL2 to router 30.1.1.2 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 34, via interface FastEthernet0/0, Cost of using 1
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:06
    Adjacency State FULL (Hello suppressed)
    Index 1/2, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Message digest authentication enabled
      No key configured, using default key id 0
R3#

As we can see authentication is enabled using message-digest, and what
happens is that the virtual-link link since the key is not configured is
using key 0. So the virtual-link is being authenticated with key 0, with
no security.

WE can still see interarea route on R1, event though virtual-link is
using different message key:

R1#sh ip route

     1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.200.0/24 is directly connected, Serial0
O 172.16.200.2/32 [110/64] via 172.16.200.2, 00:08:06, Serial0
O 172.16.200.3/32 [110/64] via 172.16.200.3, 00:08:06, Serial0
     10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, BRI0
C 12.0.0.0/8 is directly connected, Ethernet0
     44.0.0.0/32 is subnetted, 1 subnets
O IA 44.1.1.1 [110/66] via 172.16.200.3, 00:08:07, Serial0
     30.0.0.0/24 is subnetted, 1 subnets
O IA

Now let me add authentication-key to virtual-link,
With the following:
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 area 34 virtual-link 30.1.1.2 message-digest-key 1 md5 ccie
 network 30.1.1.0 0.0.0.255 area 34
 network 172.16.200.0 0.0.0.255 area 0

R3#sh ip ospf virtual-link
Virtual Link OSPF_VL0 to router 30.1.1.2 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 34, via interface FastEthernet0/0, Cost of using 1
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:00
    Adjacency State FULL (Hello suppressed)
    Index 2/3, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Message digest authentication enabled
    Youngest key id is 1
So now we are using the same key as the back bone area.
And we can still see the same route:
R1#sh ip route

     1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.200.0/24 is directly connected, Serial0
O 172.16.200.2/32 [110/64] via 172.16.200.2, 00:08:06, Serial0
O 172.16.200.3/32 [110/64] via 172.16.200.3, 00:08:06, Serial0
     10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, BRI0
C 12.0.0.0/8 is directly connected, Ethernet0
     44.0.0.0/32 is subnetted, 1 subnets
O IA 44.1.1.1 [110/66] via 172.16.200.3, 00:08:07, Serial0
     30.0.0.0/24 is subnetted, 1 subnets
O IA

Also, here is link:
http://www.cisco.com/en/US/tech/tk365/tk480/technologies_configuration_e
xample09186a00800946bd.shtml
for more information.

So conclusion is that you can use different authentication on
virutual-link and establish adjacency, but you will use type 0
authentication, as soon as you put message-digest-key on virtual-link
you are using same type as backbone area. I did not mean any offense,
but I saw your question as being very vague, with not any detail, or
showing what exactly you don't understand, or which one is correct?
Correct for what? Are you working on a lab workbook? I don't know what
you are saying, as I am others could have interpreted it vague as well.
Again no offense taken, it just helps better if you can provide more
detail in your post, and please don't take this the wrong way, I have
seen many other people, post without much detail, the more detail you
put, the better.

Sincerely,
Matijevic

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Calton, Doug
Sent: Thursday, March 18, 2004 4:11 AM
To: Danny.Andaluz@triaton-na.com; kwchen@netvigator.com;
ccielab@groupstudy.com; KWygand@customonline.com
Subject: RE: What I understand about Virtual-link Authentication and
Auth entic ation in General

I'd vote for the first. I think that the second config is still using
authentication for the virtual link, but defaulting to key 0, which
usually satisfies no real requirements.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Danny.Andaluz@triaton-na.com
Sent: Wednesday, March 17, 2004 10:22 PM
To: kwchen@netvigator.com; ccielab@groupstudy.com;
KWygand@customonline.com
Subject: RE: What I understand about Virtual-link Authentication and
Auth entic ation in General

Thanks for your responses, William and Kenneth. Which would you say is
a valid config?

R1
router ospf 1
 router-id 172.16.106.1
 area 0 authentication message-digest
 area 26 virtual-link 172.16.102.1 message-digest-key 1 md5 nmc
 

R2
router ospf 1
 router-id 172.16.102.1
 area 0 authentication message-digest
 area 26 virtual-link 172.16.106.1 message-digest-key 1 md5 nmc

Or:
 
R1
router ospf 1
 router-id 172.16.106.1
 area 0 authentication message-digest
 area 26 virtual-link 172.16.102.1

R2
router ospf 1
 router-id 172.16.102.1
 area 0 authentication message-digest
 area 26 virtual-link 172.16.106.1

In both cases, R2 has the following on its Serial facing R3:

interface Serial0
 ip ospf message-digest-key 1 md5 nmc

I've seen it work both ways. But which one is correct? I suppose it
depends on the requirement, but I'm not sure. I'm still a bit confused
about this.

Thanks,
Danny

-----Original Message-----
From: William Chen [mailto:kwchen@netvigator.com]
Sent: Wednesday, March 17, 2004 7:40 PM
To: Andaluz, Danilo, Triaton/NA; ccielab@groupstudy.com
Subject: Re: What I understand about Virtual-link Authentication and
Authentic ation in General

Dear Danny,

   If I don't misunderstand your question, I think OSPF authentication
in this way: Area authentication is like a global configuration, and if
it is enabled, then all the interfaces of that area will inherit the
authentication type. You need to use "ip ospf authentication null" to
override the area authentication in an interface. Moreover, the commands
"ip ospf authentication-key" and "ip ospf message-digest key" only
define the key to use, but not set the authentication type.

   Therefore, in the case of the link connected to R3 and R4, if you
have the area authentication in R3, but don't want the link to have any
authentication, then you have to use "ip ospf authentication null" in
the interface at R3. For the virtual link to work, you need either "area
0 authentication" in R1 (remember virtual-link is an interface in area
0), or explicitly set the virtual-link's authentication type by using
the command "area area-id virtual-link router-id
authenticatio|message-digest|null".

   HTH

Best Regards,
William Chen

----- Original Message -----
From: <Danny.Andaluz@triaton-na.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, March 18, 2004 6:32 AM
Subject: What I understand about Virtual-link Authentication and
Authentic ation in General

> Here's how I think Virtual-link authentication works. I know this has
been
> discussed at great length on this board, but I think I have it down
> now
and
> want to double check.
>
>
>
Area5-----R1----area20-------R2------Area0-------R3------Area0-----R4---
---a
> rea14
>
> Area 0 is being authenticated using MD5. On R2, R3 and R4 I have
> configured:
>
> Area 0 authentication message-digest
>
> Depending on the requirement, I can configure authentication on the
> link between R3 and R2 and not configure authentication between R3 and

> R4. As long as both sides have the same authentication configured (or

> not configured), it will work. Also, even though R4 does not have
> authentication configured on its only area 0 link, I still need to
> have "area 0 authentication message-digest" configured under router
> OSPF (I'd like to get an explanation for this. I think if you don't
> do it, you get mismatched authentication type errors, but why?).
>
> As far as the V-link goes, I only need to have "area 0 authentication
> message-digest" configured on R1. I see this V-link as I see the two
links
> on R3 to R2 and R4. It can either have authentication configured or
> not;
as
> long as both ends match. As far as the V-link goes, as long as both
> ends have the same config, it should work.
>
> I think this is it. If not, please be gentle....
>
> Thanks,
> Danny
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:34 GMT-3