Re: OSPF authentication with key rollover
From: Jung-I Lin (easyman.lin@gmail.com)
Date: Mon Sep 18 2006 - 11:43:18 ART
I think you are right, from the DocCD the description of key rollover
process as following.
Usage Guidelines
Usually, one key per interface is used to generate authentication
information when sending packets and to authenticate incoming packets. The
same key identifier on the neighbor router must have the same *key* value.
The process of changing keys is as follows. Suppose the current
configuration is as follows:
interface ethernet 1
ip ospf message-digest-key 100 md5 OLD
You change the configuration to the following:
interface ethernet 1
ip ospf message-digest-key 101 md5 NEW
The system assumes its neighbors do not have the new key yet, so it begins
a rollover process. It sends multiple copies of the same packet, each
authenticated by different keys. In this example, the system sends out two
copies of the same packetb�the first one authenticated by key 100 and the
second one authenticated by key 101.
Rollover allows neighboring routers to continue communication while the
network administrator is updating them with the new key. Rollover stops once
the local system finds that all its neighbors know the new key. The system
detects that a neighbor has the new key when it receives packets from the
neighbor authenticated by the new key.
After all neighbors have been updated with the new key, the old key should
be removed. In this example, you would enter the following:
interface ethernet 1
no ip ospf message-digest-key 100
Then, only key 101 is used for authentication on Ethernet interface 1.
We recommend that you not keep more than one key per interface. Every time
you add a new key, you should remove the old key to prevent the local system
from continuing to communicate with a hostile system that knows the old key.
Removing the old key also reduces overhead during rollover.
HTH.
On 9/16/06, Michy Eika <cciemaster@shingor.net> wrote:
>
> Hi folks
>
> If R1 is in a transition period( key is being superceded to new_pass from
> old_pass),
> Is to configure OSPF auth with key for rollover like below correct ? In
> general,
> I think the router has two keys in a transition period but I concerned
> about
> whether
> this thought is correct or not. Finally old_pass will be absolutely
> replaced
> in the future( including R2 as well).
>
> ---R3 Hub---
>
> interface Serial1/0 multipoint
> ip address 10.123.1.3 255.255.255.0
> ip ospf message-digest-key 1 md5 old_pass
> ip ospf message-digest-key 2 md5 new_pass
> frame-relay map ip 10.123.1.1 301 broadcast
> frame-relay map ip 10.123.1.2 302 broadcast
>
> ---R1 Spoke with new key---
>
> interface Serial0/0
> ip address 10.123.1.1 255.255.255.0
> encapsulation frame-relay
> ip ospf message-digest-key 1 md5 old_pass
> ip ospf message-digest-key 2 md5 new_pass
> ip ospf priority 0
> frame-relay map ip 10.123.1.2 103
> frame-relay map ip 10.123.1.3 103 broadcast
> no frame-relay inverse-arp
> end
>
> ---R2 Spoke with old key---
>
> interface Serial1/0
> ip address 10.123.1.2 255.255.255.0
> encapsulation frame-relay
> ip ospf message-digest-key 1 md5 old_pass
> ip ospf priority 0
> frame-relay map ip 10.123.1.1 203
> frame-relay map ip 10.123.1.3 203 broadcast
> no frame-relay inverse-arp
> end
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
--
Thanks
Best Regards,
Jung-I Lin
This archive was generated by hypermail 2.1.4
: Sun Oct 01 2006 - 16:55:40 ART