Re: OSPF authentication

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Mon Apr 23 2007 - 00:37:44 ART

• Next message: Loc Pham: "OT: tcp/ip the implementation stevens v2"
• Previous message: John Jones: "Re: VTP transparent mode"
• Maybe in reply to: Jason Carpenter: "OSPF authentication"
• Next in thread: Narbik Kocharians: "Re: OSPF authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This is in regards to a couple other "replies" you received on this subject.

The authentication type used by OSPF can be changed from the default of
"null" to "clear text" or "MD5" under the routing process which applies to
all interfaces within that area, or can be done at the interface level. By
setting the authentication type under the routing process you are not doing
"area" authentication. You are just setting the authentication type for all
interfaces on your router that are within that area.

Example:
If I have 50 interfaces in area 1 and I want to authentication all of them
it's easier to just use the command under the routing process as opposed to
typing the interface level command 50 times.

If I have 50 interfaces in area 1 and I only want to authentication 10 of
them then it's easiest to just apply the interface level command to the 10
interfaces that I want to enable authentication on. The reverse is to
enable authentication under the routing process and set the authentication
type to null on the other 40 interfaces within area 1 that we did not want
to enable authentication for.

So don't confuse setting the authentication type under the routing process
with doing "area" authentication which is not supported in OSPF. Cisco's
implementation in the past forced this upon us due to the limitations of the
commands to enable authentication. So you can authentication all segments
"within" an area but you can not do true "area" authentication.

This would be the equivalent of saying that since I have all iBGP neighbors
authenticating with a MD5 password that I'm doing BGP AS Authentication. In
actually I'm authenticating all iBGP peering sessions but that doesn't mean
I'm doing any sort of BGP AS Authentication ;-)

-- 
Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
On 4/22/07 12:12 PM, "Jason Carpenter" <adventureracing@gmail.com> wrote:
> Will this result in OSPF authentication with a MD5 hash of password CISCO
> 
> router ospf 1
> area 0 authentication
> 
> int s0/0
> ip ospf authentication message-digest
> ip ospf authentication-key CISCO
> 
> when I run sh ip ospf int s0/0
> it says message-digest authentication enabled
> no key configured, using default key id 0
> 
> as long as the question does not specify a key number, (for example
> key 1) would this result in md5 authentication with the password
> CISCO?
> 
> Thanks
> 
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Loc Pham: "OT: tcp/ip the implementation stevens v2"
• Previous message: John Jones: "Re: VTP transparent mode"
• Maybe in reply to: Jason Carpenter: "OSPF authentication"
• Next in thread: Narbik Kocharians: "Re: OSPF authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:37 ART