From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Sat Nov 11 2006 - 11:19:02 ART
Ricky -
OSPF will try to use the youngest keys (if found). So, if you have
authentication set up and add a new key, it will try to use the youngest
key that is common to the specific area doing authentication. It will
drop back to the common key, until the new one is configured on the
other side (the switchover in keys will not cause any outage due to
renewed adjacency, etc.
Here is a debug where I have two keys set up and then added a third, the
debug shows that it now changes to using the 3rd key. HTH......
*No
*Nov 11 07:20:50.152: OSPF: Send with key 1
*Nov 11 07:20:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
Serial1/0.1245 from 136.1.0.4
*Nov 11 07:20:50.152: OSPF: Send with key 2
*Nov 11 07:20:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
Serial1/0.1245 from 136.1.0.4
*Nov 11 07:20:50.152: OSPF: Send with key 3
*Nov 11 07:20:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
Serial1/0.1245 from 136.1.0.4
!
!
!
*Nov 11 07:21:34.224: OSPF: Rcv hello from 150.1.5.5 area 0 from
Serial1/0.1245 136.1.0.5
*Nov 11 07:21:34.224: OSPF: End of hello processing
*Nov 11 07:21:34.324: OSPF: Rcv hello from 150.1.5.5 area 0 from
Serial1/0.1245 136.1.0.5
*Nov 11 07:21:34.324: OSPF: End of hello processing
*Nov 11 07:21:34.424: OSPF: Rcv hello from 150.1.5.5 area 0 from
Serial1/0.1245 136.1.0.5
*Nov 11 07:21:34.424: OSPF: End of hello processing
Rack1R4(config-subif)#
*Nov 11 07:21:50.152: OSPF: Send with youngest Key 3
*Nov 11 07:21:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
Serial1/0.1245 from 136.1.0.4
Then, the output of the show ip ospf 1 interface.....
Serial1/0.1245 is up, line protocol is up
Internet Address 136.1.0.4/24, Area 0
Process ID 1, Router ID 150.1.4.4, Network Type POINT_TO_MULTIPOINT,
Cost: 64
Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT,
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:02
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.5.5
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 3
Hope this helps,
Dave Schulz,
Email: dschulz@dpsciences.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ricky MK Au
Sent: Saturday, November 11, 2006 1:36 AM
To: ccielab@groupstudy.com
Subject: Key rotation on OSPF area authentication
Dear all,
Can anyone tell me what is the best practice to do a key rotation with
minimum impact when I configure area authentication within OSPF?
Ricky M.K. Au,
Information Technology Service, Networking Services,
IBM China/Hong Kong Limited
Mobile: +852 91351676
Email: aurmk@hk1.ibm.com
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART