RE: OSPF doubt

From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Mon Nov 28 2005 - 13:22:02 GMT-3

No....only md5 will support rollover to new keys without causing a loss
of adjacency. Other than the security level, this is a major difference
between these two types.

Dave

-----Original Message-----
From: Nawaz, Ajaz [mailto:Ajaz.Nawaz@bskyb.com]
Sent: Monday, November 28, 2005 11:19 AM
To: 'Niche'; Schulz, Dave
Cc: Ashok Ananda -X (aananda - HCL at Cisco); nobody@groupstudy.com;
Grabler, Ross (IT); Brian Dennis; andervb@yahoo.dk;
ccielab@groupstudy.com
Subject: RE: OSPF doubt

So you can mix clear with md5 and still perform the rollover without any
loss... is that what you're stating?

Ajaz Nawaz

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Niche
Sent: 28 November 2005 01:12
To: Schulz, Dave
Cc: Ashok Ananda -X (aananda - HCL at Cisco); nobody@groupstudy.com;
Grabler, Ross (IT); Brian Dennis; andervb@yahoo.dk;
ccielab@groupstudy.com
Subject: Re: OSPF doubt

Only md5 can support multiple keys, of coz you can use md5 with
clear-text at the same time if you have implemented clear-text.

Best Regards,
Jacky

On 11/28/05, Schulz, Dave <DSchulz@dpsciences.com> wrote:
> I have noticed and in the doc CDs that the authentication type works
> differently between the clear text and md5. If you are switching
> keys,
only
> the md5 does it without disturbing the adjacency. Brian pointed this
> out
in
> an earlier email on the converting/changing of keys.
>
>
> Dave
>
> -----Original Message-----
> From: nobody@groupstudy.com
> To: Grabler, Ross (IT); Brian Dennis; andervb@yahoo.dk;
> ccielab@groupstudy.com
> Sent: 11/27/2005 12:02 PM
> Subject: RE: OSPF doubt
>
> My observation is this:
>
> Router where 2 keys configured continue to send both the keys. The
> other router gives auth mismatch for the key for which key is not
configured.
> Adjacency is still not broken as the both the routers have one key
> common.
>
> Please see some debugs here:
>
> R2 --- R5
>
> ~~~~~~
> R2#
> 7w0d: OSPF: Send with key 1
> 7w0d: OSPF: Send with key 2
>
> R2#sh ip os int s0.56
> Serial0.56 is up, line protocol is up
> Internet Address 10.1.1.2/24, Area 0
> Process ID 100, Router ID 100.1.1.1, Network Type NON_BROADCAST,
Cost:
> 64
> Transmit Delay is 1 sec, State DR, Priority 255
> Designated Router (ID) 100.1.1.1, Interface address 10.1.1.2
> No backup designated router on this network
> Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit
5
> Hello due in 00:00:15
> Index 1/1, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 4
> Last flood scan time is 0 msec, maximum is 12 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 150.5.5.5
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 2
> Rollover in progress, 1 neighbor(s) using the old key(s):
> key id 1
> R2#
>
> R5#
> 11w0d: OSPF: Send with youngest Key 1
> 11w0d: OSPF: Rcv hello from 100.1.1.1 area 0 from Serial0 10.1.1.2
> 11w0d: OSPF: End of hello processing
> 11w0d: OSPF: Rcv pkt from 10.1.1.2, Serial0 : Mismatch Authentication
> Key - No m essage digest key 2 on interface R5#
>
> R5#sh ip os ne
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 100.1.1.1 255 FULL/DR 00:01:34 10.1.1.2
> Serial0
> R5#
> ~~~~~~
>
>
>
> Thanks & Regards,
>
> Ashok M A
> HCL Technologies
> CODC-3
> Chennai, India
>
> Ph : +91-44-2372 8366 Ext : 3028
> Fax : +91-44-2484 8073.
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Grabler, Ross (IT)
> Sent: Sunday, November 27, 2005 10:03 AM
> To: Brian Dennis; andervb@yahoo.dk; ccielab@groupstudy.com
> Subject: RE: OSPF doubt
>
> Brian,
> What happends if you configure second key on only one of the routers,

> lets say to support future key change is this going to break the
> adjacencies? If not what happends when you reboot the router? To my
> understanding the youngest keys will be exchanged.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Brian Dennis
> Sent: Saturday, November 26, 2005 6:32 PM
> To: andervb@yahoo.dk; ccielab@groupstudy.com
> Subject: RE: OSPF doubt
>
> Here is an e-mail I sent a couple weeks about this topic:
>
> Below is an example of how you can configure two routers to support
> "key rollover" with OSPF and actually perform the rollover:
>
> To start off both routers (R1 and R2) are configured with MD5
> authentication and using key 1 with the password of CISCO1.
>
> Rack8R1#sho run int s0/0
> Building configuration...
>
> Current configuration : 314 bytes
> !
> interface Serial0/0
> ip address 129.8.124.1 255.255.255.0
> encapsulation frame-relay
> ip ospf authentication message-digest ip ospf message-digest-key 1
> md5 CISCO1 ip ospf network broadcast frame-relay map ip 129.8.124.2
> 102 broadcast no frame-relay inverse-arp end
>
> Rack8R1#sho ip os ne
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
> Serial0/0
> Rack8R1#sho ip os int s0/0
> Serial0/0 is up, line protocol is up
> Internet Address 129.8.124.1/24, Area 0
> Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
> Transmit Delay is 1 sec, State BDR, Priority 1
> Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
> Backup Designated router (ID) 150.8.1.1, Interface address
129.8.124.1
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:08
> Index 4/4, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 150.8.2.2 (Designated Router)
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 1
> Rack8R1#
> Rack8R1#sho ip os n
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
> Serial0/0
> Rack8R1#
>
> Rack8R2#sho run int s0/0
> Building configuration...
>
> Current configuration : 273 bytes
> !
> interface Serial0/0
> ip address 129.8.124.2 255.255.255.0
> encapsulation frame-relay
> ip ospf authentication message-digest ip ospf message-digest-key 1
> md5 CISCO1 ip ospf network broadcast frame-relay map ip 129.8.124.1
> 201 broadcast no frame-relay inverse-arp end
>
> Rack8R2#sho ip os n
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 150.8.1.1 1 FULL/BDR 00:00:31 129.8.124.1
> Serial0/0
> Rack8R2#
>
>
> From the output above we see that the neighbor relationship is up and
> everything is working. Now we'll add a second key (key 2 password
> CISCO2) to both routers:
>
>
> Rack8R1#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack8R1(config)#int s0/0
> Rack8R1(config-if)# ip os message-digest-key 2 md CISCO2
> Rack8R1(config-if)#^Z Rack8R1# Rack8R1#
>
> Rack8R2#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack8R2(config)#int s0/0
> Rack8R2(config-if)# ip os message-digest-key 2 md CISCO2
> Rack8R2(config-if)#^Z Rack8R2# Rack8R2# Rack8R2#sho ip os n
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 150.8.1.1 1 FULL/BDR 00:00:34 129.8.124.1
> Serial0/0
> Rack8R2#sho ip os int s0/0
> Serial0/0 is up, line protocol is up
> Internet Address 129.8.124.2/24, Area 0
> Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
> Transmit Delay is 1 sec, State DR, Priority 1
> Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
> Backup Designated router (ID) 150.8.1.1, Interface address
129.8.124.1
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:04
> Index 1/3, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 2
> Rollover in progress, 1 neighbor(s) using the old key(s):
> key id 1
> Rack8R2#
>
>
> We can see that the routers know that there is a key rollover in
> progress since two keys are configured on the interfaces. Now we'll
> go back and remove the original key 1.
>
>
> Rack8R2#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack8R2(config)#int s0/0
> Rack8R2(config-if)#no ip os message-digest-key 1 md CISCO1
> Rack8R2(config-if)#^Z Rack8R2# Rack8R2#sho ip os int s0/0 Serial0/0 is

> up, line protocol is up
> Internet Address 129.8.124.2/24, Area 0
> Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
> Transmit Delay is 1 sec, State DR, Priority 1
> Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
> Backup Designated router (ID) 150.8.1.1, Interface address
129.8.124.1
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:06
> Index 1/3, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 2
> Rollover in progress, 1 neighbor(s) using the old key(s):
> Rack8R2#
> Rack8R2#sho ip os n
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 150.8.1.1 1 FULL/BDR 00:00:37 129.8.124.1
> Serial0/0
> Rack8R2#
>
> Rack8R1#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack8R1(config)#int s0/0
> Rack8R1(config-if)#no ip os message-digest-key 1 md CISCO1
> Rack8R1(config-if)#^Z Rack8R1#sho ip os int s0/0 Serial0/0 is up, line

> protocol is up
> Internet Address 129.8.124.1/24, Area 0
> Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
> Transmit Delay is 1 sec, State BDR, Priority 1
> Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
> Backup Designated router (ID) 150.8.1.1, Interface address
129.8.124.1
> Flush timer for old DR LSA due in 00:01:46
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:06
> Index 4/4, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 150.8.2.2 (Designated Router)
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 2
> Rack8R1#
> Rack8R1#sho ip os n
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 150.8.2.2 1 FULL/DR 00:00:36 129.8.124.2
> Serial0/0
> Rack8R1#
>
>
> Finally both routers are using key 2 and the OSPF neighbor
> relationship was never lost.
>
>
> HTH,
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of andervb@yahoo.dk
> Sent: Saturday, November 26, 2005 1:18 PM
> To: ccielab@groupstudy.com
> Subject: OSPF doubt
>
> how can I change the ospf auth without afect adjacency?
> password transition?
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> --------------------------------------------------------
>
> NOTICE: If received in error, please destroy and notify sender.
> Sender does not waive confidentiality or privilege, and use is
prohibited.
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:08 GMT-3