RE: ospf authentication

From: Scott Morris (swm@emanon.com)
Date: Sun Oct 01 2006 - 10:30:04 ART

• Next message: Scott Morris: "RE: How to match IPv6 packets"
• Previous message: acybox-groupstudy@yahoo.com: "IE VOL1 LAB7 Q. 8.3 Strange behavior"
• Maybe in reply to: Magmax: "ospf authentication"
• Next in thread: Alexei Monastyrnyi: "Re: ospf authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

?? "Also as a site note OSPF doesn't do 'area authentication' as per the
RFC."

I'm not sure where you're looking in the RFC, because very specifically,
"area authentication" isn't mentioned at all.

" The authentication type is configurable on a per-interface (or
    equivalently, on a per-network/subnet) basis. Additional
    authentication data is also configurable on a per-interface basis."

I'm guessing you're wording is just off (lack of caffiene?). But as you
state later in your e-mail, Cisco's version of "area (x) authentication ..."
is just an over-simplification of things that will enable the authentication
parameters on every interface belonging to the area.

Interface-specific commands will also override any area-specified behavior.
The interface configuration is more inline with what the RFC specifies about
authentication. And you're correct about there being confusion with this...
Though I'm sure it won't be the last time that IOS commands generate
confusion!

But the poster's original question didn't ask about the differences, just
whether it could be done as posted. :)

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 
 

-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Sunday, October 01, 2006 2:26 AM
To: Magmax; swm@emanon.com; ccielab@groupstudy.com
Subject: RE: ospf authentication

Also as a site note OSPF doesn't do "area authentication" as per the RFC.

Cisco originally implemented OSPF authentication by only allowing
authentication to be enabled on all interfaces within an area using the
"area <area> authentication" and "area <area> authentication message-digest"
commands. Due to Cisco's original implementation you were forced to
authenticate all interfaces within an area once authentication was enabled
but this isn't as per the RFC. In IOS
12.0(4) Cisco added the interface level authentication command which should
have been implemented when OSPF authentication was first supported in the
IOS. This would have created less confusion as many people think that the
authentication command under the routing process is "area authentication".

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Magmax
Sent: Saturday, September 30, 2006 8:34 PM
To: swm@emanon.com; ccielab@groupstudy.com
Subject: RE: ospf authentication

My mistake it should be

interface Serial0/0.315 multipoint

 ip address 190.168.315.3 255.255.255.0

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 CISCO

 frame-relay map ip 192.168.315.2 502 broadcast

 frame-relay map ip 192.168.315.3 503

 no frame-relay inverse-arp

Right now I will do interface authentication but not ospf area
authentication. Also I don't need to enable any virtual-link authentication
or need area 0 authetication message-digest command under ospf process

Ubaid

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Sunday, 1 October 2006 1:25 PM
To: 'Magmax'; ccielab@groupstudy.com
Subject: RE: ospf authentication

Are you asking or telling? ;)

You CAN.... And it will work with your peers (if they're identical).
However, you won't get any points for it.

"ip ospf authentication message-digest" needs to have "ip ospf
message-digest-key ..." in order to use the password CISCO. You configured
a clear-text key yet enabled message-digest authentication.

When you do "show ip ospf interface s0/0.235" you'll find that
message-digest authentication IS indeed enabled but is using Key 0, which is
the NULL keyset. So if all of your routers are like that you'll get peers,
and things will look good but you aren't using Key 1 CISCO, so you don't get
points.

HTH,

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Magmax
Sent: Saturday, September 30, 2006 11:06 PM
To: ccielab@groupstudy.com
Subject: ospf authentication

interface Serial0/0.235 multipoint

 ip address 190.168.315.3 255.255.255.0

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 CISCO

 frame-relay map ip 192.168.315.2 502 broadcast

 frame-relay map ip 192.168.315.3 503 broadcast

 no frame-relay inverse-arp

Guys,

I can enable ospf authentication on per interface basis like above

• Next message: Scott Morris: "RE: How to match IPv6 packets"
• Previous message: acybox-groupstudy@yahoo.com: "IE VOL1 LAB7 Q. 8.3 Strange behavior"
• Maybe in reply to: Magmax: "ospf authentication"
• Next in thread: Alexei Monastyrnyi: "Re: ospf authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:03 ART