Re: Key rotation on OSPF area authentication

From: Udo (ccie_groupstudy@yahoo.de)
Date: Mon Nov 13 2006 - 04:02:28 ART

• Next message: Udo: "RE: Filter Routing updates with Prefix-List"
• Previous message: Udo: "RE: ICMP/Traceroute Question"
• Maybe in reply to: Ricky MK Au: "Key rotation on OSPF area authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi ,

please can you post a sample config ? this is also very interested for
me....and maybe for other too...

udo
> Hi Dave,
>
> Would you mind send me your sample configuration for my reference?
>
>
> On 11/11/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:
> >
> > Ricky -
> >
> > OSPF will try to use the youngest keys (if found). So, if you have
> > authentication set up and add a new key, it will try to use the youngest
> > key that is common to the specific area doing authentication. It will
> > drop back to the common key, until the new one is configured on the
> > other side (the switchover in keys will not cause any outage due to
> > renewed adjacency, etc.
> >
> > Here is a debug where I have two keys set up and then added a third, the
> > debug shows that it now changes to using the 3rd key. HTH......
> >
> >
> > *No
> > *Nov 11 07:20:50.152: OSPF: Send with key 1
> > *Nov 11 07:20:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
> > Serial1/0.1245 from 136.1.0.4
> > *Nov 11 07:20:50.152: OSPF: Send with key 2
> > *Nov 11 07:20:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
> > Serial1/0.1245 from 136.1.0.4
> > *Nov 11 07:20:50.152: OSPF: Send with key 3
> > *Nov 11 07:20:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
> > Serial1/0.1245 from 136.1.0.4
> > !
> > !
> > !
> > *Nov 11 07:21:34.224: OSPF: Rcv hello from 150.1.5.5 area 0 from
> > Serial1/0.1245 136.1.0.5
> > *Nov 11 07:21:34.224: OSPF: End of hello processing
> > *Nov 11 07:21:34.324: OSPF: Rcv hello from 150.1.5.5 area 0 from
> > Serial1/0.1245 136.1.0.5
> > *Nov 11 07:21:34.324: OSPF: End of hello processing
> > *Nov 11 07:21:34.424: OSPF: Rcv hello from 150.1.5.5 area 0 from
> > Serial1/0.1245 136.1.0.5
> > *Nov 11 07:21:34.424: OSPF: End of hello processing
> > Rack1R4(config-subif)#
> > *Nov 11 07:21:50.152: OSPF: Send with youngest Key 3
> > *Nov 11 07:21:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
> > Serial1/0.1245 from 136.1.0.4
> >
> > Then, the output of the show ip ospf 1 interface.....
> >
> > Serial1/0.1245 is up, line protocol is up
> > Internet Address 136.1.0.4/24, Area 0
> > Process ID 1, Router ID 150.1.4.4, Network Type POINT_TO_MULTIPOINT,
> > Cost: 64
> > Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT,
> > Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
> > oob-resync timeout 120
> > Hello due in 00:00:02
> > Index 1/1, flood queue length 0
> > Next 0x0(0)/0x0(0)
> > Last flood scan length is 1, maximum is 1
> > Last flood scan time is 0 msec, maximum is 0 msec
> > Neighbor Count is 1, Adjacent neighbor count is 1
> > Adjacent with neighbor 150.1.5.5
> > Suppress hello for 0 neighbor(s)
> > Message digest authentication enabled
> > Youngest key id is 3
> >
> > Hope this helps,
> >
> > Dave Schulz,
> > Email: dschulz@dpsciences.com
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Ricky MK Au
> > Sent: Saturday, November 11, 2006 1:36 AM
> > To: ccielab@groupstudy.com
> > Subject: Key rotation on OSPF area authentication
> >
> > Dear all,
> > Can anyone tell me what is the best practice to do a key rotation with
> > minimum impact when I configure area authentication within OSPF?
> >
> > Ricky M.K. Au,
> > Information Technology Service, Networking Services,
> > IBM China/Hong Kong Limited
> > Mobile: +852 91351676
> > Email: aurmk@hk1.ibm.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Udo: "RE: Filter Routing updates with Prefix-List"
• Previous message: Udo: "RE: ICMP/Traceroute Question"
• Maybe in reply to: Ricky MK Au: "Key rotation on OSPF area authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART