Re: OSPF MD5 - Rollover

From: Sean C (Upp_and_Upp@hotmail.com)
Date: Wed Apr 27 2005 - 10:27:22 GMT-3

 George & Alaerte,

Thanks for taking the time to illustrate this issue. I want to make sure I
understand the solution and the reason. Is the solution:
-the router with only 1 key needs to have a neighbor statement
-the router with both keys does not need to have a neighbor statement

 And the reasoning is due to the fact that while the routers will initially
form an OSPF authenticated adjacency if configured w/out the neighbor
statement, upon a reboot the routers will not form the same adjacency.

Please confirm and thanks again,
Sean
> ----- Original Message -----
> From: <gladston@br.ibm.com>
> To: "George Cassels (gcassels)" <gcassels@cisco.com>
> Cc: "Alsontra Daniels" <alsontra@gmail.com>; <ccielab@groupstudy.com>;
> "Pearson John" <jnhpearson@yahoo.co.jp>
> Sent: Wednesday, April 27, 2005 8:57 AM
> Subject: RE: OSPF MD5 - Rollover
>
>
>> Thanks for your effort on this subject George,
>>
>> I makes sense with the result I got.
>>
>> What scares me is to be not sure if the guy that is doing the CCIE Lab
>> know that, because it seems it is not documented.
>> (eheh, after failing the test strange things use to scare me)
>>
>>
>> Cordially,
>> ------------------------------------------------------------------
>> Gladston
>>
>>
>>
>>
>> "George Cassels \(gcassels\)" <gcassels@cisco.com>
>> 26/04/2005 20:13
>>
>> To
>> Alaerte Gladston Vidali/Brazil/IBM@IBMBR, "Alsontra Daniels"
>> <alsontra@gmail.com>, "Pearson John" <jnhpearson@yahoo.co.jp>
>> cc
>> <ccielab@groupstudy.com>
>> Subject
>> RE: OSPF MD5 - Rollover
>>
>>
>>
>>
>>
>>
>>
>> Alaerte,
>>
>> I had a theory about what the problem might be but wanted to test it
>> before I sent it out. In your debug I noticed that although your R4 was
>> sending the youngest key, you were never receiving a key from R1. So
>> what I did is the following: R1 had the two keys and the neighbor
>> statement and it failed just like your R4 did (see debug below). Then I
>> put the neighbor statement on R4 which would be like your R1 and it
>> worked fine. My theory is that with neighbor statements the router with
>> the neighbor statement did not receive the key from the neighbor which
>> would not allow it to figure out to use key 1 instead of key 2. By
>> putting the neighbor statement on the router with the older key number,
>> it allowed that router to send out its key, allowing the router with two
>> keys to use key 1 based on the capabilities of its neighbor instead of
>> the youngest key (key 2).
>>
>> Does that make sense?
>>
>> debugs from working and non-working config below. Also at the bottom is
>> the working config.
>>
>> George
>>
>>
>> Non-working with R1 having neighbor statements and with two keys
>>
>> R4 (only one key (key 1) and no neighbor)
>>
>> 00:16:29: OSPF: end of Wait on interface Serial2/0
>> 00:16:29: OSPF: DR/BDR election on Serial2/0
>> 00:16:29: OSPF: Elect BDR 172.16.1.4
>> 00:16:29: OSPF: Elect DR 172.16.1.4
>> 00:16:29: OSPF: Elect BDR 0.0.0.0
>> 00:16:29: OSPF: Elect DR 172.16.1.4
>> 00:16:29: DR: 172.16.1.4 (Id) BDR: none
>> 00:16:29: OSPF: Send with youngest Key 1
>> 00:16:29: OSPF: No full nbrs to build Net Lsa for interface Serial2/0
>> R4#
>> 00:16:50: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> R4#
>> 00:16:59: OSPF: Send with youngest Key 1
>> R4#
>>
>> R1 with neighbor statement and two keys (never receives)
>>
>> 00:16:51: OSPF: Send with youngest Key 2
>> R1#
>> 00:17:21: OSPF: 0.0.0.0 address 172.16.1.4 on Serial1/0 is dead
>> 00:17:21: OSPF: 0.0.0.0 address 172.16.1.4 on Serial1/0 is dead, state
>> DOWN
>> 00:17:21: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.0 on Serial1/0 from
>> ATTEMPT to DOWN, Neighbor Down: Dead timer expired
>> R1#
>> 00:17:21: OSPF: Neighbor change Event on interface Serial1/0
>> 00:17:21: OSPF: DR/BDR election on Serial1/0
>> 00:17:21: OSPF: Elect BDR 0.0.0.0
>> 00:17:21: OSPF: Elect DR 172.16.1.1
>> 00:17:21: DR: 172.16.1.1 (Id) BDR: none
>> 00:17:21: OSPF: Send with youngest Key 2
>> R1#
>> 00:17:51: OSPF: Send with youngest Key 2
>> R1#
>>
>> --------------------------------------------------------------------------------------------------------------
>>
>> working exchange with R4 having the neighbor statement
>>
>> R1 (has two keys but no neighbor statement)
>>
>> 00:18:33: OSPF: Neighbor change Event on interface Serial1/0
>> 00:18:33: OSPF: DR/BDR election on Serial1/0
>> 00:18:33: OSPF: Elect BDR 0.0.0.0
>> 00:18:33: OSPF: Elect DR 172.16.1.1
>> 00:18:33: DR: 172.16.1.1 (Id) BDR: none
>> 00:18:34: %SYS-5-CONFIG_I: Configured from console by console
>> R1#
>> 00:18:51: OSPF: Send with youngest Key 2
>> R1#
>> 00:19:21: OSPF: Send with key 1
>> 00:19:21: OSPF: Send with key 2
>> 00:19:21: OSPF: Rcv DBD from 172.16.1.4 on Serial1/0 seq 0x263E opt 0x52
>> flag 0x7 len 32 mtu 1500 state INIT
>> 00:19:21: OSPF: 2 Way Communication to 172.16.1.4 on Serial1/0, state
>> 2WAY
>> 00:19:21: OSPF: Neighbor change Event on interface Serial1/0
>> 00:19:21: OSPF: DR/BDR election on Serial1/0
>> 00:19:21: OSPF: Elect BDR 0.0.0.0
>> 00:19:21: OSPF: Elect DR 172.16.1.4
>> 00:19:21: OSPF: Elect BDR 172.16.1.1
>> 00:19:21: OSPF: Elect DR 172.16.1.4
>> 00:19:21: DR: 172.16.1.4 (Id) BDR: 172.16.1.1 (Id)
>> 00:19:21: OSPF: Send DBD to 172.16.1.4 on Serial1/0 seq 0x19C0 opt 0x52
>> flag 0x7 len 32
>> 00:19:21: OSPF: Send with key 1
>> 00:19:21: OSPF: Send with key 2
>> 00:19:21: OSPF: Set Serial1/0 flush timer
>> 00:19:21: OSPF: Remember old DR 172.16.1.1 (id)
>> 00:19:21: OSPF: NBR Negotiation Done. We are the SLAVE
>> 00:19:21: OSPF: Send DBD to 172.16.1.4 on Serial1/0 seq 0x263E opt 0x52
>> flag 0x2 len 52
>> 00:19:21: OSPF: Send with key 1
>> 00:19:21: OSPF: Send with key 2
>> 00:19:21: OSPF: Rcv DBD from 172.16.1.4 on Serial1/0 seq 0x263F opt 0x52
>> flag 0x3 len 52 mtu 1500 state EXCHANGE
>> 00:19:21: OSPF: Send DBD to 172.16.1.4 on Serial1/0 seq 0x263F opt 0x52
>> flag 0x0 len 32
>> 00:19:21: OSPF: Send with key 1
>> 00:19:21: OSPF: Send with key 2
>> 00:19:21: OSPF: Send with key 1
>> 00:19:21: OSPF: Send with key 2
>> 00:19:21: OSPF: Database request to 172.16.1.4
>> 00:19:21: OSPF: sent LS REQ packet to 172.16.1.4, length 12
>> 00:19:21: OSPF: Send with key 1
>> 00:19:21: OSPF: Send with key 2
>> 00:19:21: OSPF: Rcv DBD from 172.16.1.4 on Serial1/0 seq 0x2640 opt 0x52
>> flag 0x1 len 32 mtu 1500 state EXCHANGE
>> 00:19:21: OSPF: Exchange Done with 172.16.1.4 on Serial1/0
>> 00:19:21: OSPF: Send DBD to 172.16.1.4 on Serial1/0 seq 0x2640 opt 0x52
>> flag 0x0 len 32
>> 00:19:21: OSPF: Send with key 1
>> 00:19:21: OSPF: Send with key 2
>> 00:19:21: OSPF: Synchronized with 172.16.1.4 on Serial1/0, state FULL
>> 00:19:21: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.1.4 on Serial1/0 from
>> LOADING to FULL, Loading Done
>> R1#
>> 00:19:22: OSPF: Reset old DR on Serial1/0
>> 00:19:22: OSPF: Send with key 1
>> 00:19:22: OSPF: Send with key 2
>> 00:19:22: OSPF: Build router LSA for area 0, router ID 172.16.1.1, seq
>> 0x80000002
>> R1#
>> 00:19:24: OSPF: Send with key 1
>> 00:19:24: OSPF: Send with key 2
>> R1#
>> 00:19:26: OSPF: Send with key 1
>> 00:19:26: OSPF: Send with key 2
>> R1#
>> 00:19:29: OSPF: Send with key 1
>> 00:19:29: OSPF: Send with key 2
>> R1#
>> 00:19:31: OSPF: Send with key 1
>> 00:19:31: OSPF: Send with key 2
>> R1#sh ip
>> 00:19:51: OSPF: Send with key 1
>> 00:19:51: OSPF: Send with key 2
>> R1#sh ip ospf nei
>>
>> Neighbor ID Pri State Dead Time Address
>> Interface
>> 172.16.1.4 1 FULL/DR 00:01:37 172.16.1.4
>> Serial1/0
>> R1#no debug all
>> All possible debugging has been turned off
>>
>> R4 with Neighbor statement and only one key (key 1)
>>
>> 00:19:20: OSPF: 2 Way Communication to 172.16.1.1 on Serial2/0, state
>> 2WAY
>> 00:19:20: OSPF: Neighbor change Event on interface Serial2/0
>> 00:19:20: OSPF: DR/BDR election on Serial2/0
>> 00:19:20: OSPF: Elect BDR 0.0.0.0
>> 00:19:20: OSPF: Elect DR 172.16.1.4
>> 00:19:20: DR: 172.16.1.4 (Id) BDR: none
>> 00:19:20: OSPF: Send DBD to 172.16.1.1 on Serial2/0 seq 0x263E opt 0x52
>> flag 0x7 len 32
>> 00:19:20: OSPF: Send with key 1
>> 00:19:20: OSPF: Neighbor change Event on interface Serial2/0
>> 00:19:20: OSPF: DR/BDR election on Serial2/0
>> 00:19:20: OSPF: Elect BDR 0.0.0.0
>> 00:19:20: OSPF: Elect DR 172.16.1.4
>> 00:19:20: DR: 172.16.1.4 (Id) BDR: none
>> 00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:20: OSPF: Rcv DBD from 172.16.1.1 on Serial2/0 seq 0x19C0 opt 0x52
>> flag 0x7 len 32 mtu 1500 state EXSTART
>> 00:19:20: OSPF: First DBD and we are not SLAVE
>> 00:19:20: OSPF: Rcv DBD from 172.16.1.1 on Serial2/0 seq 0x263E opt 0x52
>> flag 0x2 len 52 mtu 1500 state EXSTART
>> 00:19:20: OSPF: NBR Negotiation Done. We are the MASTER
>> 00:19:20: OSPF: Send DBD to 172.16.1.1 on Serial2/0 seq 0x263F opt 0x52
>> flag 0x3 len 52
>> 00:19:20: OSPF: Send with youngest Key 1
>> 00:19:20: OSPF: Send with youngest Key 1
>> 00:19:20: OSPF: Database request to 172.16.1.1
>> 00:19:20: OSPF: sent LS REQ packet to 172.16.1.1, length 12
>> 00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:20: OSPF: Rcv DBD from 172.16.1.1 on Serial2/0 seq 0x263F opt 0x52
>> flag 0x0 len 32 mtu 1500 state EXCHANGE
>> 00:19:20: OSPF: Send DBD to 172.16.1.1 on Serial2/0 seq 0x2640 opt 0x52
>> flag 0x1 len 32
>> 00:19:20: OSPF: Send with youngest Key 1
>> 00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:20: OSPF: Send with youngest Key 1
>> 00:19:20: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:20: OSPF: Rcv DBD from 172.16.1.1 on Serial2/0 seq 0x2640 opt 0x52
>> flag 0x0 len 32 mtu 1500 state EXCHANGE
>> 00:19:20: OSPF: Exchange Done with 172.16.1.1 on Serial2/0
>> 00:19:20: OSPF: Synchronized with 172.16.1.1 on Serial2/0, state FULL
>> 00:19:20: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.1.1 on Serial2/0 from
>> LOADING to FULL, Loading Done
>> R4#
>> 00:19:20: OSPF: Send with youngest Key 1
>> 00:19:20: OSPF: Build router LSA for area 0, router ID 172.16.1.4, seq
>> 0x80000002
>> 00:19:21: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:21: OSPF: Build network LSA for Serial2/0, router ID 172.16.1.4
>> 00:19:21: OSPF: Send with youngest Key 1
>> 00:19:21: OSPF: Build network LSA for Serial2/0, router ID 172.16.1.4
>> R4#
>> 00:19:23: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> R4#
>> 00:19:25: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:25: OSPF: Send with youngest Key 1
>> R4#
>> 00:19:28: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:29: OSPF: Send with youngest Key 1
>> R4#
>> 00:19:30: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> 00:19:30: OSPF: Send with youngest Key 1
>> R4#
>> 00:19:50: OSPF: Neighbor change Event on interface Serial2/0
>> 00:19:50: OSPF: DR/BDR election on Serial2/0
>> 00:19:50: OSPF: Elect BDR 172.16.1.1
>> 00:19:50: OSPF: Elect DR 172.16.1.4
>> 00:19:50: DR: 172.16.1.4 (Id) BDR: 172.16.1.1 (Id)
>> 00:19:50: OSPF: Neighbor change Event on interface Serial2/0
>> 00:19:50: OSPF: DR/BDR election on Serial2/0
>> 00:19:50: OSPF: Elect BDR 172.16.1.1
>> 00:19:50: OSPF: Elect DR 172.16.1.4
>> 00:19:50: DR: 172.16.1.4 (Id) BDR: 172.16.1.1 (Id)
>> 00:19:50: OSPF: Rcv pkt from 172.16.1.1, Serial2/0 : Mismatch
>> Authentication Key - No message digest key 2 on interface
>> R4#
>> 00:19:59: OSPF: Send with youngest Key 1
>> R4#
>> R4#
>> R4#sh ip sopf nei
>> ^
>> % Invalid input detected at '^' marker.
>>
>> R4#sh ip ospf nei
>>
>> Neighbor ID Pri State Dead Time Address
>> Interface
>> 172.16.1.1 1 FULL/BDR 00:01:42 172.16.1.1
>> Serial2/0
>> R4#u all
>> All possible debugging has been turned off
>> R4#
>>
>> R1 working config
>>
>> interface Serial1/0
>> ip address 172.16.1.1 255.255.255.0
>> encapsulation frame-relay
>> ip ospf message-digest-key 1 md5 cisco
>> ip ospf message-digest-key 2 md5 ccie
>> no arp frame-relay
>> frame-relay map ip 172.16.1.4 104 broadcast
>> frame-relay map ip 172.16.1.1 104
>> no frame-relay inverse-arp
>> !
>> router ospf 1
>> log-adjacency-changes
>> area 0 authentication message-digest
>> network 172.16.1.0 0.0.0.255 area 0
>>
>> R4 working config
>>
>> interface Serial2/0
>> ip address 172.16.1.4 255.255.255.0
>> encapsulation frame-relay
>> ip ospf message-digest-key 1 md5 cisco
>> no arp frame-relay
>> frame-relay map ip 172.16.1.4 401
>> frame-relay map ip 172.16.1.1 401 broadcast
>> no frame-relay inverse-arp
>> !
>> router ospf 1
>> log-adjacency-changes
>> area 0 authentication message-digest
>> network 172.16.1.0 0.0.0.255 area 0
>> neighbor 172.16.1.1 priority 1

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:09 GMT-3