RE: ospf authentication

From: Scott Morris (swm@emanon.com)
Date: Sun Oct 01 2006 - 15:09:32 ART

• Next message: sabrina pittarel: "Q. on frame relay fragmentation"
• Previous message: Brian Dennis: "RE: ospf authentication"
• Maybe in reply to: Magmax: "ospf authentication"
• Next in thread: Brian Dennis: "RE: ospf authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'll talk slower.

The wording of your first line appears to contradict the rest of what you
posted (hence my agreeing with you, at least the meat of your post).
Semantics. Obviously an interpretation error though...

I do see the point of your e-mail, but don't see the point of the post
itself as it didn't answer the original question, but I digress...

Forgive the addition to clarification on my part as it obviously doesn't
have any bearing on anything... In the future, I'll try harder to keep my
"site notes" to myself. *shrug*

With or without caffeine today, it reads the same. ;)

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Sunday, October 01, 2006 1:51 PM
To: swm@emanon.com; Magmax; ccielab@groupstudy.com
Subject: RE: ospf authentication

Scott,
I think that you're the one with a little "lack of caffeine" as you don't
appear to understand what I said in my e-mail ;-) You seem to think what I
said was wrong for some reason but then you just restated what I said with
your reply. You didn't even disagree with what I said so what's the point?
;-) Read my original e-mail over again closely and you should see my point.
If not I'll comment directly in regards to your reply to my e-mail.

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Sunday, October 01, 2006 6:30 AM
To: Brian Dennis; 'Magmax'; ccielab@groupstudy.com
Subject: RE: ospf authentication

?? "Also as a site note OSPF doesn't do 'area authentication' as per the
RFC."

I'm not sure where you're looking in the RFC, because very specifically,
"area authentication" isn't mentioned at all.

" The authentication type is configurable on a per-interface (or
    equivalently, on a per-network/subnet) basis. Additional
    authentication data is also configurable on a per-interface basis."

I'm guessing you're wording is just off (lack of caffiene?). But as you
state later in your e-mail, Cisco's version of "area (x) authentication ..."
is just an over-simplification of things that will enable the authentication
parameters on every interface belonging to the area.

Interface-specific commands will also override any area-specified behavior.
The interface configuration is more inline with what the RFC specifies about
authentication. And you're correct about there being confusion with this...
Though I'm sure it won't be the last time that IOS commands generate
confusion!

But the poster's original question didn't ask about the differences, just
whether it could be done as posted. :)

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 
 

-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Sunday, October 01, 2006 2:26 AM
To: Magmax; swm@emanon.com; ccielab@groupstudy.com
Subject: RE: ospf authentication

Also as a site note OSPF doesn't do "area authentication" as per the RFC.

Cisco originally implemented OSPF authentication by only allowing
authentication to be enabled on all interfaces within an area using the
"area <area> authentication" and "area <area> authentication message-digest"
commands. Due to Cisco's original implementation you were forced to
authenticate all interfaces within an area once authentication was enabled
but this isn't as per the RFC. In IOS
12.0(4) Cisco added the interface level authentication command which should
have been implemented when OSPF authentication was first supported in the
IOS. This would have created less confusion as many people think that the
authentication command under the routing process is "area authentication".

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Magmax
Sent: Saturday, September 30, 2006 8:34 PM
To: swm@emanon.com; ccielab@groupstudy.com
Subject: RE: ospf authentication

My mistake it should be

interface Serial0/0.315 multipoint

 ip address 190.168.315.3 255.255.255.0

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 CISCO

 frame-relay map ip 192.168.315.2 502 broadcast

 frame-relay map ip 192.168.315.3 503

 no frame-relay inverse-arp

Right now I will do interface authentication but not ospf area
authentication. Also I don't need to enable any virtual-link authentication
or need area 0 authetication message-digest command under ospf process

Ubaid

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Sunday, 1 October 2006 1:25 PM
To: 'Magmax'; ccielab@groupstudy.com
Subject: RE: ospf authentication

Are you asking or telling? ;)

You CAN.... And it will work with your peers (if they're identical).
However, you won't get any points for it.

"ip ospf authentication message-digest" needs to have "ip ospf
message-digest-key ..." in order to use the password CISCO. You configured
a clear-text key yet enabled message-digest authentication.

When you do "show ip ospf interface s0/0.235" you'll find that
message-digest authentication IS indeed enabled but is using Key 0, which is
the NULL keyset. So if all of your routers are like that you'll get peers,
and things will look good but you aren't using Key 1 CISCO, so you don't get
points.

HTH,

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Magmax
Sent: Saturday, September 30, 2006 11:06 PM
To: ccielab@groupstudy.com
Subject: ospf authentication

interface Serial0/0.235 multipoint

 ip address 190.168.315.3 255.255.255.0

 ip ospf authentication message-digest

 ip ospf message-digest-key 1 md5 CISCO

 frame-relay map ip 192.168.315.2 502 broadcast

 frame-relay map ip 192.168.315.3 503 broadcast

 no frame-relay inverse-arp

Guys,

I can enable ospf authentication on per interface basis like above

• Next message: sabrina pittarel: "Q. on frame relay fragmentation"
• Previous message: Brian Dennis: "RE: ospf authentication"
• Maybe in reply to: Magmax: "ospf authentication"
• Next in thread: Brian Dennis: "RE: ospf authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:03 ART