RE: OSPF authentication [html-rem]

From: Victor Cappuccio (victor@ccbootcamp.com)
Date: Mon Apr 23 2007 - 02:51:47 ART

Sorry Narbik, do get your point

You are using the keyword "configure OSPF area
authentication"
Yes.- I can configure that under the routing process and then specify the MD5
key under the interface, BUT, I can also enable all interfaces doing a show ip
int brief, and select all interfaces from that specific area and enable
authentication required

for example...

R1(config-router)#do show ip ospf int brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Fa0/1 1 0 1.2.12.1/24 1 BDR 1/1
Fa0/0 1 0 1.1.12.1/24 1 DR 0/0
Lo0 1 1 1.1.1.1/32 1 LOOP 0/0
R1(config-router)
R1(config-router)#int f0/1
R1(config-if)#ip ospf authen me
R1(config-if)#ip ospf me 1 md5 cisco
R1(config-if)#int f0/0
R1(config-if)#ip ospf authen me
R1(config-if)#ip ospf me 1 md5 cisco
R1(config-if)#

or simple
R1(config-router)#router ospf 1
R1(config-router)#area 0 authentication me

and then configure the password under the affected interfaces..

So IMHO both solution are doing what requiered, if not sure, I would for sure
ask the proctor.

Victor.-

-----Original Message-----
From: Narbik Kocharians [mailto:narbikk@gmail.com]
Sent: Sun 4/22/2007 22:45
To: Victor Cappuccio
Cc: Jason Carpenter; ccielab@groupstudy.com
Subject: Re: OSPF authentication [html-rem]

So you are agreeing that if one is asked to configure OSPF area
authentication, you should enable it under the router ospf and then apply it
to the interface?

On 4/22/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
>
> Like this...
>
> Router(config-if)#do show ip ospf neigh
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 1.2.12.1 1 FULL/DR 00:00:38 1.2.12.1
> FastEthernet0/1
> 1.2.12.1 1 FULL/DR 00:00:33 1.1.12.1
> FastEthernet0/0
> Router(config-if)#do show ip ospf inter
> FastEthernet0/1 is up, line protocol is up
> Internet Address 1.2.12.2/24, Area 0
> Process ID 1, Router ID 1.2.12.2, Network Type BROADCAST, Cost: 1
> Enabled by interface config, including secondary ip addresses
> Transmit Delay is 1 sec, State BDR, Priority 1
> Designated Router (ID) 1.2.12.1, Interface address 1.2.12.1
> Backup Designated router (ID) 1.2.12.2, Interface address 1.2.12.2
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:07
> Supports Link-local Signaling (LLS)
> Index 2/2, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 1.2.12.1 (Designated Router)
> Suppress hello for 0 neighbor(s)
> FastEthernet0/0 is up, line protocol is up
> Internet Address 1.1.12.2/24, Area 0
> Process ID 1, Router ID 1.2.12.2, Network Type BROADCAST, Cost: 1
> Enabled by interface config, including secondary ip addresses
> Transmit Delay is 1 sec, State BDR, Priority 1
> Designated Router (ID) 1.2.12.1, Interface address 1.1.12.1
> Backup Designated router (ID) 1.2.12.2, Interface address 1.1.12.2
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:07
> Supports Link-local Signaling (LLS)
> Index 1/1, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 2, maximum is 2
> Last flood scan time is 0 msec, maximum is 4 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 1.2.12.1 (Designated Router)
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> No key configured, using default key id 0
> Router(config-if)#
>
>
> rack11>1
> [Resuming connection 1 to R1 ... ]
>
> *Apr 23 05:39:34.262: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.12.2 on
> FastEthernet0/0 from LOADING to FULL, Loading Done
> R1(config-if)#
> R1(config-if)#router ospf 1
> R1(config-router)#area 0 authentication message
> R1(config-router)#do clear ip ospf pro
> Reset ALL OSPF processes? [no]: yes
> R1(config-router)#do show ip os
> *Apr 23 05:40:43.950: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.12.2 on
> FastEthernet0/1 from FULL to DOWN, Neighbor Down: Interface down or
detached
> *Apr 23 05:40:43.950: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.12.2 on
> FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or
detached
> *Apr 23 05:40:44.114: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.12.2 on
> FastEthernet0/0 from LOADING to FULL, Loading Donepf
> R1(config-router)#do show ip ospf neigh
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 1.2.12.2 1 FULL/DR 00:00:37 1.1.12.2
> FastEthernet0/0
> R1(config-router)#do show ip ospf neigh
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 1.2.12.2 1 FULL/DR 00:00:38 1.1.12.2
> FastEthernet0/0
> R1(config-router)#do show ip ospf neigh
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 1.2.12.2 1 FULL/DR 00:00:37 1.1.12.2
> FastEthernet0/0
> R1(config-router)#do show ip ospf neigh
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 1.2.12.2 1 FULL/DR 00:00:36 1.1.12.2
> FastEthernet0/0
> R1(config-router)#do show ip ospf neigh
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 1.2.12.2 1 FULL/DR 00:00:39 1.2.12.2
> FastEthernet0/1
> 1.2.12.2 1 FULL/DR 00:00:39 1.1.12.2
> FastEthernet0/0
> R1(config-router)#
> *Apr 23 05:40:52.910: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.12.2 on
> FastEthernet0/1 from LOADING to FULL, Loading Donedo show ip ospf neigh
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 1.2.12.2 1 FULL/DR 00:00:39 1.2.12.2
> FastEthernet0/1
> 1.2.12.2 1 FULL/DR 00:00:38 1.1.12.2
> FastEthernet0/0
> R1(config-router)#
>
>
>
> HTH
>
> thanks,
> Victor Cappuccio.-
> Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> Cisco Learning credits!
> victor@ccbootcamp.com
> http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> Voice: 702-968-5100
> FAX: 702-446-8012
>
>
>
>
> -----Original Message-----
> From: Narbik Kocharians [mailto:narbikk@gmail.com <narbikk@gmail.com>]
> Sent: Sun 4/22/2007 22:28
> To: Victor Cappuccio
> Cc: Jason Carpenter; ccielab@groupstudy.com
> Subject: Re: OSPF authentication [html-rem]
>
> How is that related to "area authentication" and per interface
> authentication?
>
> On 4/22/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
> >
> > Hi Jason,
> >
> > http://www.faqs.org/rfcs/rfc2328.html
> >
> > D. Authentication
> >
> > All OSPF protocol exchanges are authenticated. The OSPF packet
> > header (see Section A.3.1) includes an authentication type field,
> > and 64-bits of data for use by the appropriate authentication scheme
> > (determined by the type field).
> >
> > The authentication type is configurable on a per-interface (or
> > equivalently, on a per-network/subnet) basis. --- seems that in Cisco
> > implementation this is using the routing process --- Additional
> > authentication data is also configurable on a per-interface basis -- ip
> > ospf
> > authentication command under the interface running OSPF :) ..
> >
> > Authentication types 0, 1 and 2 are defined by this specification.
> > All other authentication types are reserved for definition by the
> > IANA (iana@ISI.EDU). The current list of authentication types is
> > described below in Table 20.
> >
> > AuType Description
> > ___________________________________________
> > 0 Null authentication
> > 1 Simple password
> > 2 Cryptographic authentication
> > All others Reserved for assignment by the
> > IANA (iana@ISI.EDU)
> >
> >
> >
> > in the Message generation D.4 After building the contents of an OSPF
> > packet,
> > the authentication procedure indicated by the sending interface's Autype
> > value
> > is called before the packet is sent. The authentication procedure
> > modifies
> > the OSPF packet as follows.
> >
> > D.4.1 Generating Null authentication
> >
> > When using Null authentication, the packet is modified as
> > follows:
> >
> > (1) The Autype field in the standard OSPF header is set to
> > 0.
> >
> > Hope this helps
> >
> > Just my 2 cents more
> >
> > thanks,
> > Victor Cappuccio.-
> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> > Cisco Learning credits!
> > victor@ccbootcamp.com
> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> > Voice: 702-968-5100
> > FAX: 702-446-8012
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com on behalf of Jason Carpenter
> > Sent: Sun 4/22/2007 12:12
> > To: ccielab@groupstudy.com
> > Subject: OSPF authentication
> >
> > Will this result in OSPF authentication with a MD5 hash of password
> CISCO
> >
> > router ospf 1
> > area 0 authentication
> >
> > int s0/0
> > ip ospf authentication message-digest
> > ip ospf authentication-key CISCO
> >
> > when I run sh ip ospf int s0/0
> > it says message-digest authentication enabled
> > no key configured, using default key id 0
> >
> > as long as the question does not specify a key number, (for example
> > key 1) would this result in md5 authentication with the password
> > CISCO?
> >
> > Thanks
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Narbik Kocharians
> CCIE# 12410 (R&S, SP, Security)
> CCSI# 30832
> Network Learning, Inc. (CCIE class Instructor)
> www.ccbootcamp.com (CCIE Training)
>
> 

--
Narbik Kocharians
CCIE# 12410 (R&S, SP, Security)
CCSI# 30832
Network Learning, Inc. (CCIE class Instructor)
www.ccbootcamp.com (CCIE Training)

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:37 ART