From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Mon Sep 25 2006 - 21:55:45 ART
Hi Tony,
I do not think that on Cisco Routers you can do Authentication based on Time
like in EIGRP does with the use of Key Chains, but in OSPF, AFAIK.
Sw1(config-if)#ip ospf message-digest-key 1 md5 ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key) (maximum 16 characters)
Sw1(config-if)#ip ospf authentication-key ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key) (maximum 8 characters)
AFAIR The Key Used by the router, would be the YONGEST key, that for me
means that it would use the key number with a lower value
Sw1(config-if)#do show run int vlan 1
Building configuration...
Current configuration : 140 bytes
!
interface Vlan1
ip address 14.14.78.7 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 21 md5 CISCO
end
Sw1(config-if)#do show ip ospf inter | b Message
Message digest authentication enabled
Youngest key id is 21
Sw1(config-if)#ip ospf message-digest-key 2 md5 CISCO2
Sw1(config-if)#do show ip ospf inter | b Message
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 21
Sw1(config-if)#do show ip ospf inter | b Message
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 21
Sw1(config-if)#do clear ip ospf pro
Reset ALL OSPF processes? [no]: y
Sw1(config-if)#
Sw1(config-if)#
12:53:16: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.8.8 on Vlan1 from FULL to
DOWN, Neighbor Down: Interface down or detached
Sw1(config-if)#
12:53:22: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.8.8 on Vlan1 from LOADING to
FULL, Loading Done
Sw1(config-if)#do show ip ospf inter | b Message
Message digest authentication enabled
Youngest key id is 2
But you got a point there, The RFC Says:
Each key is identified by the combination of interface and Key
ID. An interface may have multiple keys active at any one time.
This enables smooth transition from one key to another. Each key
has four time constants associated with it. These time constants
can be expressed in terms of a time-of-day clock, or in terms of
a router's local clock (e.g., number of seconds since last
reboot):
For that OSPF Time Based Authentication Question; it would be very nice to
know; but yet you can receive suggestion telling that the implementation of
OSPF Authentication is for a transitive method.
For the EIGRP Part.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuratio
n_guide_chapter09186a00800ca56e.html#wp4759
Also
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuratio
n_guide_chapter09186a00800ca56e.html#wp5331
Saludos,
Victor.-
-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Tony
Paterra
Enviado el: Lunes, 25 de Septiembre de 2006 07:57 p.m.
Para: Cisco certification
Asunto: IGP authentication key rollover?
All,
I am looking for an explanation of IGP authentication protocols. For
OSPF, I've seen mentions of the highest common key ID is the one that
is accepted to auth peers. How does this work with rollover though?
Can it be time-based like EIGRP?
Also with EIGRP and the accept/send timeframes... If there is an
overlap between 2 of the keys, they are both accepted as long as the
keys are both inside the 'accept' time window right?
Thanks in advance,
-- Tony Paterra apaterra@gmail.com
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART