From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Thu Nov 10 2005 - 00:44:42 GMT-3
OSPF doesn't support authentication key chains with send and receive
lifetimes.
Below is an example of how you configure two routers to support "key
rollover" with OSPF and actually perform the rollover:
To start off both routers (R1 and R2) are configured with MD5
authentication and using key 1 with the password of CISCO1.
Rack8R1#sho run int s0/0
Building configuration...
Current configuration : 314 bytes
!
interface Serial0/0
ip address 129.8.124.1 255.255.255.0
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CISCO1
ip ospf network broadcast
frame-relay map ip 129.8.124.2 102 broadcast
no frame-relay inverse-arp
end
Rack8R1#sho ip os ne
Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
Serial0/0
Rack8R1#sho ip os int s0/0
Serial0/0 is up, line protocol is up
Internet Address 129.8.124.1/24, Area 0
Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Index 4/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Rack8R1#
Rack8R1#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
Serial0/0
Rack8R1#
Rack8R2#sho run int s0/0
Building configuration...
Current configuration : 273 bytes
!
interface Serial0/0
ip address 129.8.124.2 255.255.255.0
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CISCO1
ip ospf network broadcast
frame-relay map ip 129.8.124.1 201 broadcast
no frame-relay inverse-arp
end
Rack8R2#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:31 129.8.124.1
Serial0/0
Rack8R2#
From the output above we see that the neighbor relationship is up and
everything is working. Now we'll add a second key (key 2 password
CISCO2) to both routers:
Rack8R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R1(config)#int s0/0
Rack8R1(config-if)# ip os message-digest-key 2 md CISCO2
Rack8R1(config-if)#^Z
Rack8R1#
Rack8R1#
Rack8R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R2(config)#int s0/0
Rack8R2(config-if)# ip os message-digest-key 2 md CISCO2
Rack8R2(config-if)#^Z
Rack8R2#
Rack8R2#
Rack8R2#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:34 129.8.124.1
Serial0/0
Rack8R2#sho ip os int s0/0
Serial0/0 is up, line protocol is up
Internet Address 129.8.124.2/24, Area 0
Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Index 1/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 1
Rack8R2#
We can see that the routers know that there is a key rollover in
progress since two keys are configured on the interfaces. Now we'll go
back and remove the original key 1.
Rack8R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R2(config)#int s0/0
Rack8R2(config-if)#no ip os message-digest-key 1 md CISCO1
Rack8R2(config-if)#^Z
Rack8R2#
Rack8R2#sho ip os int s0/0
Serial0/0 is up, line protocol is up
Internet Address 129.8.124.2/24, Area 0
Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Index 1/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
Rack8R2#
Rack8R2#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:37 129.8.124.1
Serial0/0
Rack8R2#
Rack8R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R1(config)#int s0/0
Rack8R1(config-if)#no ip os message-digest-key 1 md CISCO1
Rack8R1(config-if)#^Z
Rack8R1#sho ip os int s0/0
Serial0/0 is up, line protocol is up
Internet Address 129.8.124.1/24, Area 0
Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Flush timer for old DR LSA due in 00:01:46
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Index 4/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rack8R1#
Rack8R1#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:36 129.8.124.2
Serial0/0
Rack8R1#
Finally both routers are using key 2 and the OSPF neighbor relationship
was never lost.
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
John Matus
Sent: Wednesday, November 09, 2005 5:34 PM
To: andervb@yahoo.dk
Cc: ccielab@groupstudy.com; nobody@groupstudy.com
Subject: Re: OSPF AUTH.
you can enable authentication for area 0, but if you want to change the
password without loosing "any" connectivity, you can create 2
authentication keys with overlapping send-recieve lifetimes and then it
will be seamless for howeverlong you configured the overlap.
HTH
Regards,
John D. Matus
Technical Support / PAS
Fujitsu Consulting
626-568-7716
John.Matus@tokiom.com
Sent by:
nobody@groupstudy
To
.com ccielab@groupstudy.com
cc
11/09/2005 03:47
Subject
PM OSPF AUTH.
Please respond to
Is there a way to configure OSPF authentication on area 0 ,but you can
change the password without lose conectivity to the neighbor?
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:06 GMT-3