From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Sun Nov 27 2005 - 18:40:42 GMT-3
I have noticed and in the doc CDs that the authentication type works
differently between the clear text and md5. If you are switching keys, only
the md5 does it without disturbing the adjacency. Brian pointed this out in
an earlier email on the converting/changing of keys.
Dave
-----Original Message-----
From: nobody@groupstudy.com
To: Grabler, Ross (IT); Brian Dennis; andervb@yahoo.dk;
ccielab@groupstudy.com
Sent: 11/27/2005 12:02 PM
Subject: RE: OSPF doubt
My observation is this:
Router where 2 keys configured continue to send both the keys. The other
router gives auth mismatch for the key for which key is not configured.
Adjacency is still not broken as the both the routers have one key
common.
Please see some debugs here:
R2 --- R5
~~~~~~
R2#
7w0d: OSPF: Send with key 1
7w0d: OSPF: Send with key 2
R2#sh ip os int s0.56
Serial0.56 is up, line protocol is up
Internet Address 10.1.1.2/24, Area 0
Process ID 100, Router ID 100.1.1.1, Network Type NON_BROADCAST, Cost:
64
Transmit Delay is 1 sec, State DR, Priority 255
Designated Router (ID) 100.1.1.1, Interface address 10.1.1.2
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
Hello due in 00:00:15
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 4
Last flood scan time is 0 msec, maximum is 12 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.5.5.5
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 1
R2#
R5#
11w0d: OSPF: Send with youngest Key 1
11w0d: OSPF: Rcv hello from 100.1.1.1 area 0 from Serial0 10.1.1.2
11w0d: OSPF: End of hello processing
11w0d: OSPF: Rcv pkt from 10.1.1.2, Serial0 : Mismatch Authentication
Key - No m
essage digest key 2 on interface
R5#
R5#sh ip os ne
Neighbor ID Pri State Dead Time Address
Interface
100.1.1.1 255 FULL/DR 00:01:34 10.1.1.2
Serial0
R5#
~~~~~~
Thanks & Regards,
Ashok M A
HCL Technologies
CODC-3
Chennai, India
Ph : +91-44-2372 8366 Ext : 3028
Fax : +91-44-2484 8073.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Grabler, Ross (IT)
Sent: Sunday, November 27, 2005 10:03 AM
To: Brian Dennis; andervb@yahoo.dk; ccielab@groupstudy.com
Subject: RE: OSPF doubt
Brian,
What happends if you configure second key on only one of the routers,
lets say to support future key change is this going to break the
adjacencies? If not what happends when you reboot the router? To my
understanding the youngest keys will be exchanged.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Saturday, November 26, 2005 6:32 PM
To: andervb@yahoo.dk; ccielab@groupstudy.com
Subject: RE: OSPF doubt
Here is an e-mail I sent a couple weeks about this topic:
Below is an example of how you can configure two routers to support "key
rollover" with OSPF and actually perform the rollover:
To start off both routers (R1 and R2) are configured with MD5
authentication and using key 1 with the password of CISCO1.
Rack8R1#sho run int s0/0
Building configuration...
Current configuration : 314 bytes
!
interface Serial0/0
ip address 129.8.124.1 255.255.255.0
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CISCO1 ip ospf network broadcast
frame-relay map ip 129.8.124.2 102 broadcast no frame-relay inverse-arp
end
Rack8R1#sho ip os ne
Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
Serial0/0
Rack8R1#sho ip os int s0/0
Serial0/0 is up, line protocol is up
Internet Address 129.8.124.1/24, Area 0
Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Index 4/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Rack8R1#
Rack8R1#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
Serial0/0
Rack8R1#
Rack8R2#sho run int s0/0
Building configuration...
Current configuration : 273 bytes
!
interface Serial0/0
ip address 129.8.124.2 255.255.255.0
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CISCO1 ip ospf network broadcast
frame-relay map ip 129.8.124.1 201 broadcast no frame-relay inverse-arp
end
Rack8R2#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:31 129.8.124.1
Serial0/0
Rack8R2#
From the output above we see that the neighbor relationship is up and
everything is working. Now we'll add a second key (key 2 password
CISCO2) to both routers:
Rack8R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R1(config)#int s0/0
Rack8R1(config-if)# ip os message-digest-key 2 md CISCO2
Rack8R1(config-if)#^Z Rack8R1# Rack8R1#
Rack8R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R2(config)#int s0/0
Rack8R2(config-if)# ip os message-digest-key 2 md CISCO2
Rack8R2(config-if)#^Z Rack8R2# Rack8R2# Rack8R2#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:34 129.8.124.1
Serial0/0
Rack8R2#sho ip os int s0/0
Serial0/0 is up, line protocol is up
Internet Address 129.8.124.2/24, Area 0
Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Index 1/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 1
Rack8R2#
We can see that the routers know that there is a key rollover in
progress since two keys are configured on the interfaces. Now we'll go
back and remove the original key 1.
Rack8R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R2(config)#int s0/0
Rack8R2(config-if)#no ip os message-digest-key 1 md CISCO1
Rack8R2(config-if)#^Z Rack8R2# Rack8R2#sho ip os int s0/0 Serial0/0 is
up, line protocol is up
Internet Address 129.8.124.2/24, Area 0
Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Index 1/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
Rack8R2#
Rack8R2#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:37 129.8.124.1
Serial0/0
Rack8R2#
Rack8R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R1(config)#int s0/0
Rack8R1(config-if)#no ip os message-digest-key 1 md CISCO1
Rack8R1(config-if)#^Z Rack8R1#sho ip os int s0/0 Serial0/0 is up, line
protocol is up
Internet Address 129.8.124.1/24, Area 0
Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Flush timer for old DR LSA due in 00:01:46
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Index 4/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rack8R1#
Rack8R1#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:36 129.8.124.2
Serial0/0
Rack8R1#
Finally both routers are using key 2 and the OSPF neighbor relationship
was never lost.
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
andervb@yahoo.dk
Sent: Saturday, November 26, 2005 1:18 PM
To: ccielab@groupstudy.com
Subject: OSPF doubt
how can I change the ospf auth without afect adjacency?
password transition?
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:08 GMT-3