RE: OSPF authentication using rollover keys

From: Scott Morris (swm@emanon.com)
Date: Sat May 27 2006 - 22:54:39 ART

• Next message: Scott Morris: "RE: OSPF authentication using rollover keys"
• Previous message: Victor Cappuccio: "the fragment keyword"
• Maybe in reply to: Larry Chuon: "OSPF authentication using rollover keys"
• Next in thread: Scott Morris: "RE: OSPF authentication using rollover keys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yup.. Once you reboot, all bets are off! The rollover process is part of
the "in action" changes that OSPF can help with. Following a reboot, the
process assumes that there's nothing to change since it's all happening from
scratch and therefore is following the pattern of youngest key.
 
Cheers,
 
 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 

  _____

From: Larry Chuon [mailto:lchuon@gmail.com]
Sent: Saturday, May 27, 2006 7:08 PM
To: swm@emanon.com
Cc: Cisco certification
Subject: Re: OSPF authentication using rollover keys

Hi Scott,

The problem occurred after a reload. OSPF adj failed for one of th spokes.
Prior to reloading the routers, everything worked just fine. The remedy to
this problem is to use apply the keys in reverse order IF you don't rollover
all the keys before the reboot. Of course, once you've rebooted, show ip
ospf interface won't show rollover in process anymore.

This is what I noticed during my trials and errors. Thanks for getting back
to me though.

Larry

On 5/27/06, Scott Morris <swm@emanon.com> wrote:

Do you have any neighbor using the other key??? If you do, then they'll
all show up:

Emanon-R1(config)#do sh ip o n

Neighbor ID Pri State Dead Time Address Interface
15.15.15.15 0 FULL/DROTHER 00:01:48 172.17.150.3
Serial0/0.1
200.103.1.1 0 FULL/DROTHER 00:01:39 172.17.150.2
Serial0/0.1
172.17.155.5 0 FULL/ - 00:00:33 172.17.155.5 Serial0/1
Emanon-R1(config)#do sh ip o i s0/0.1
Serial0/0.1 is up, line protocol is up
  Internet Address 172.17.150.1/24, Area 0
  Process ID 1, Router ID 24.24.24.24, Network Type NON_BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State DR, Priority 128
  Designated Router (ID) 24.24.24.24, Interface address 172.17.150.1
  No backup designated router on this network
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    oob-resync timeout 120
    Hello due in 00:00:16
  Index 1/3, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 5, maximum is 6
  Last flood scan time is 8 msec, maximum is 12 msec
  Neighbor Count is 2, Adjacent neighbor count is 2
    Adjacent with neighbor 15.15.15.15
    Adjacent with neighbor 200.103.1.1
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 3
    Rollover in progress, 1 neighbor(s) using the old key(s):
      key id 1
      key id 2
Emanon-R1(config)#do sh run int s0/0.1
Building configuration...

Current configuration : 505 bytes
!
interface Serial0/0.1 multipoint
ip address 172.17.150.1 255.255.255.0
ip router isis
ip pim sparse-dense-mode
service-policy input testing
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 IPExpert
ip ospf message-digest-key 2 md5 R2Key
ip ospf message-digest-key 3 md5 R3Key
ip ospf priority 128
isis priority 127
frame-relay class trfshape
frame-relay map ip 172.17.150.2 102 broadcast
frame-relay map ip 172.17.150.3 103 broadcast
no frame-relay inverse-arp
end

Emanon-R1(config)#

Note, my hub there actually has three keys configured on it. Although
according to the show ip ospf interface command, only two of them are used.
Because I have two peers using separate/different keys.

HTH,

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Larry Chuon
Sent: Friday, May 26, 2006 11:19 AM
To: Cisco certification
Subject: OSPF authentication using rollover keys

Hi group,

I've three routers. Each is configured to do md5 authentication. I put in
key 1. Everything works fine. Then, I proceed to add a second key on R1
(hub) and R3.

R1:
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2

R3:
ip ospf authentication message-digest
ip ospf message-digest-key 2 md5 cisco2

Now, only R1 and R3 form adjacency.

R2 display an error message:

*May 26 15:21:29.575: OSPF: Send with youngest Key 1 !
Serial0/0/0 : Mismatch Authentication Key - No message digest key 2 on
interface

It can't form adjacency with the hub.

Both R1 and R3 has the following info AFTER a reboot. I believe that all
three routers were working fine before the reboot.

sh ip os int s0/0/0 | in auth|key
  Message digest authentication enabled
    Youngest key id is 2

What is the proper way to do rollover?

TIA,
Larry

• Next message: Scott Morris: "RE: OSPF authentication using rollover keys"
• Previous message: Victor Cappuccio: "the fragment keyword"
• Maybe in reply to: Larry Chuon: "OSPF authentication using rollover keys"
• Next in thread: Scott Morris: "RE: OSPF authentication using rollover keys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART