RE: OSPF authentication [html-rem]

From: Darby Weaver (darbyweaver@yahoo.com)
Date: Mon Apr 23 2007 - 07:52:24 ART

The virtual link is an extention of Area 0. So it
becomes a part of Area 0.

--- sirisak chantanate <sirisak@itmanagement.co.th>
wrote:

> Hi all.
> When we use OSPF authentication within Area 0, why
> do we have to enable
> authentication on Virtual Link???
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Narbik Kocharians
> Sent: Monday, April 23, 2007 1:00 PM
> To: Victor Cappuccio
> Cc: Jason Carpenter; ccielab@groupstudy.com
> Subject: Re: OSPF authentication [html-rem]
>
> No problems Victor, this is what we were discussing,
> that ospf does have
> "area authentication" and you configure that with
> enabling it under the
> "router ospf" process and then you apply it to the
> interface (This can be
> text or MD5).
> But some of us still believe that there is no area
> authentication in OSPF.
> If you check the command reference and look under
> OSPF "area authentication"
> you will see that it is the first entry there.
> What OSPF does not support is area-base
> authentication.
>
>
>
>
> On 4/22/07, Victor Cappuccio <victor@ccbootcamp.com>
> wrote:
> >
> >
> > Sorry Narbik, do get your point
> >
> > You are using the keyword "configure OSPF area
> > authentication"
> > Yes.- I can configure that under the routing
> process and then specify the
> > MD5 key under the interface, BUT, I can also
> enable all interfaces doing a
> > show ip int brief, and select all interfaces from
> that specific area and
> > enable authentication required
> >
> > for example...
> >
> > R1(config-router)#do show ip ospf int brief
> > Interface PID Area IP Address/Mask
> Cost State Nbrs F/C
> > Fa0/1 1 0 1.2.12.1/24
> 1 BDR 1/1
> > Fa0/0 1 0 1.1.12.1/24
> 1 DR 0/0
> > Lo0 1 1 1.1.1.1/32
> 1 LOOP 0/0
> > R1(config-router)
> > R1(config-router)#int f0/1
> > R1(config-if)#ip ospf authen me
> > R1(config-if)#ip ospf me 1 md5 cisco
> > R1(config-if)#int f0/0
> > R1(config-if)#ip ospf authen me
> > R1(config-if)#ip ospf me 1 md5 cisco
> > R1(config-if)#
> >
> > or simple
> > R1(config-router)#router ospf 1
> > R1(config-router)#area 0 authentication me
> >
> > and then configure the password under the affected
> interfaces..
> >
> > So IMHO both solution are doing what requiered, if
> not sure, I would for
> > sure ask the proctor.
> >
> > Victor.-
> >
> >
> > -----Original Message-----
> > From: Narbik Kocharians [mailto:narbikk@gmail.com
> <narbikk@gmail.com>]
> > Sent: Sun 4/22/2007 22:45
> > To: Victor Cappuccio
> > Cc: Jason Carpenter; ccielab@groupstudy.com
> > Subject: Re: OSPF authentication [html-rem]
> >
> > So you are agreeing that if one is asked to
> configure OSPF area
> > authentication, you should enable it under the
> router ospf and then apply
> > it
> > to the interface?
> >
> > On 4/22/07, Victor Cappuccio
> <victor@ccbootcamp.com> wrote:
> > >
> > > Like this...
> > >
> > > Router(config-if)#do show ip ospf neigh
> > >
> > > Neighbor ID Pri State Dead Time
> Address
> > > Interface
> > > 1.2.12.1 1 FULL/DR 00:00:38
> 1.2.12.1
> > > FastEthernet0/1
> > > 1.2.12.1 1 FULL/DR 00:00:33
> 1.1.12.1
> > > FastEthernet0/0
> > > Router(config-if)#do show ip ospf inter
> > > FastEthernet0/1 is up, line protocol is up
> > > Internet Address 1.2.12.2/24, Area 0
> > > Process ID 1, Router ID 1.2.12.2, Network Type
> BROADCAST, Cost: 1
> > > Enabled by interface config, including
> secondary ip addresses
> > > Transmit Delay is 1 sec, State BDR, Priority 1
> > > Designated Router (ID) 1.2.12.1, Interface
> address 1.2.12.1
> > > Backup Designated router (ID) 1.2.12.2,
> Interface address 1.2.12.2
> > > Timer intervals configured, Hello 10, Dead 40,
> Wait 40, Retransmit 5
> > > oob-resync timeout 40
> > > Hello due in 00:00:07
> > > Supports Link-local Signaling (LLS)
> > > Index 2/2, flood queue length 0
> > > Next 0x0(0)/0x0(0)
> > > Last flood scan length is 1, maximum is 1
> > > Last flood scan time is 0 msec, maximum is 0
> msec
> > > Neighbor Count is 1, Adjacent neighbor count
> is 1
> > > Adjacent with neighbor 1.2.12.1 (Designated
> Router)
> > > Suppress hello for 0 neighbor(s)
> > > FastEthernet0/0 is up, line protocol is up
> > > Internet Address 1.1.12.2/24, Area 0
> > > Process ID 1, Router ID 1.2.12.2, Network Type
> BROADCAST, Cost: 1
> > > Enabled by interface config, including
> secondary ip addresses
> > > Transmit Delay is 1 sec, State BDR, Priority 1
> > > Designated Router (ID) 1.2.12.1, Interface
> address 1.1.12.1
> > > Backup Designated router (ID) 1.2.12.2,
> Interface address 1.1.12.2
> > > Timer intervals configured, Hello 10, Dead 40,
> Wait 40, Retransmit 5
> > > oob-resync timeout 40
> > > Hello due in 00:00:07
> > > Supports Link-local Signaling (LLS)
> > > Index 1/1, flood queue length 0
> > > Next 0x0(0)/0x0(0)
> > > Last flood scan length is 2, maximum is 2
> > > Last flood scan time is 0 msec, maximum is 4
> msec
> > > Neighbor Count is 1, Adjacent neighbor count
> is 1
> > > Adjacent with neighbor 1.2.12.1 (Designated
> Router)
> > > Suppress hello for 0 neighbor(s)
> > > Message digest authentication enabled
> > > No key configured, using default key id 0
> > > Router(config-if)#
> > >
> > >
> > > rack11>1
> > > [Resuming connection 1 to R1 ... ]
> > >
> > > *Apr 23 05:39:34.262: %OSPF-5-ADJCHG: Process 1,
> Nbr 1.2.12.2 on
> > > FastEthernet0/0 from LOADING to FULL, Loading
> Done
> > > R1(config-if)#
> > > R1(config-if)#router ospf 1
> > > R1(config-router)#area 0 authentication message
> > > R1(config-router)#do clear ip ospf pro
> > > Reset ALL OSPF processes? [no]: yes
> > > R1(config-router)#do show ip os
> > > *Apr 23 05:40:43.950: %OSPF-5-ADJCHG: Process 1,
> Nbr 1.2.12.2 on
> > > FastEthernet0/1 from FULL to DOWN, Neighbor
> Down: Interface down or
> > detached
> > > *Apr 23 05:40:43.950: %OSPF-5-ADJCHG: Process 1,
> Nbr 1.2.12.2 on
> > > FastEthernet0/0 from FULL to DOWN, Neighbor
> Down: Interface down or
> > detached
> > > *Apr 23 05:40:44.114: %OSPF-5-ADJCHG: Process 1,
> Nbr 1.2.12.2 on
> > > FastEthernet0/0 from LOADING to FULL, Loading
> Donepf
> > > R1(config-router)#do show ip ospf neigh
> > >
> > > Neighbor ID Pri State Dead Time
> Address
> > > Interface
> > > 1.2.12.2 1 FULL/DR 00:00:37
> 1.1.12.2
> > > FastEthernet0/0
> > > R1(config-router)#do show ip ospf neigh
> > >
> > > Neighbor ID Pri State Dead Time
> Address
> > > Interface
> > > 1.2.12.2 1 FULL/DR 00:00:38
> 1.1.12.2
> > > FastEthernet0/0
> > > R1(config-router)#do show ip ospf neigh
> > >
> > > Neighbor ID Pri State Dead Time
> Address
> > > Interface
> > > 1.2.12.2 1 FULL/DR 00:00:37
> 1.1.12.2
> > > FastEthernet0/0
> > > R1(config-router)#do show ip ospf neigh
> > >
> > > Neighbor ID Pri State Dead Time
> Address
> > > Interface
> > > 1.2.12.2 1 FULL/DR 00:00:36
> 1.1.12.2
> > > FastEthernet0/0
> > > R1(config-router)#do show ip ospf neigh
> > >
> > > Neighbor ID Pri State Dead Time
> Address
> > > Interface
> > > 1.2.12.2 1 FULL/DR 00:00:39
> 1.2.12.2
> > > FastEthernet0/1
> > > 1.2.12.2 1 FULL/DR 00:00:39
> 1.1.12.2
> > > FastEthernet0/0
> > > R1(config-router)#
> > > *Apr 23 05:40:52.910: %OSPF-5-ADJCHG: Process 1,
> Nbr 1.2.12.2 on
> > > FastEthernet0/1 from LOADING to FULL, Loading
> Donedo show ip ospf neigh
> > >
> > > Neighbor ID Pri State Dead Time
> Address
> > > Interface
> > > 1.2.12.2 1 FULL/DR 00:00:39
> 1.2.12.2
> > > FastEthernet0/1
> > > 1.2.12.2 1 FULL/DR 00:00:38
> 1.1.12.2
> > > FastEthernet0/0
> > > R1(config-router)#
> > >
> > >
> > >
> > > HTH
> > >
> > > thanks,
> > > Victor Cappuccio.-
> > > Network Learning Inc - A Cisco Sponsored
> Organization (SO) YES! We take
> > > Cisco Learning credits!
> > > victor@ccbootcamp.com
> > > http://www.ccbootcamp.com (Cisco Training and
> Rental Racks)
> > > http://www.ccbootcamp.com/groupstudy.html
> (groupstudy member discounts!)
> > > Voice: 702-968-5100
> > > FAX: 702-446-8012
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Narbik Kocharians
> [mailto:narbikk@gmail.com <narbikk@gmail.com> <
> > narbikk@gmail.com>]
> > > Sent: Sun 4/22/2007 22:28
> > > To: Victor Cappuccio
> > > Cc: Jason Carpenter; ccielab@groupstudy.com
> > > Subject: Re: OSPF authentication [html-rem]
> > >
> > > How is that related to "area authentication" and
> per interface
> > > authentication?
> > >
> > > On 4/22/07, Victor Cappuccio
> <victor@ccbootcamp.com> wrote:
> > > >
> > > > Hi Jason,
> > > >
> > > > http://www.faqs.org/rfcs/rfc2328.html
> > > >
> > > > D. Authentication
> > > >
> > > > All OSPF protocol exchanges are authenticated.
> The OSPF packet
> > > > header (see Section A.3.1) includes an
> authentication type field,
> > > > and 64-bits of data for use by the appropriate
> authentication scheme
> > > > (determined by the type field).
> > > >
> > > > The authentication type is configurable on a
> per-interface (or
> > > > equivalently, on a per-network/subnet) basis.
> --- seems that in Cisco
> > > > implementation this is using the routing
> process --- Additional
> > > > authentication data is also configurable on a
> per-interface basis --
> > ip
> > > > ospf
> > > > authentication command under the interface
> running OSPF :) ..
> > > >
> > > > Authentication types 0, 1 and 2 are defined by
> this specification.
> > > > All other authentication types are reserved
> for definition by the
> > > > IANA (iana@ISI.EDU). The current list of
> authentication types is
> > > > described below in Table 20.
> > > >
> > > > AuType Description
> > > >
> ___________________________________________
> > > > 0 Null
> authentication
> > > > 1 Simple password
> > > > 2 Cryptographic
> authentication
> > > > All others Reserved for
> assignment by the
> > > > IANA
> (iana@ISI.EDU)
> > > >
> > > >
> > > >
> > > > in the Message generation D.4 After building
> the contents of an OSPF
> > > > packet,
> > > > the authentication procedure indicated by the
> sending interface's
> > Autype
> > > > value
> > > > is called before the packet is sent. The
> authentication procedure
> > > > modifies
> > > > the OSPF packet as follows.
> > > >
> > > > D.4.1 Generating Null authentication
> > > >
> > > > When using Null authentication, the
> packet is modified as
> > > > follows:
> > > >
> > > > (1) The Autype field in the
> standard OSPF header is set to
> > > > 0.
> > > >
> > > > Hope this helps
> > > >
> > > > Just my 2 cents more
> > > >
> > > > thanks,
> > > > Victor Cappuccio.-
> > > > Network Learning Inc - A Cisco Sponsored
> Organization (SO) YES! We
> > take
> > > > Cisco Learning credits!
> > > > victor@ccbootcamp.com
> > > > http://www.ccbootcamp.com (Cisco Training and
> Rental Racks)
> > > > http://www.ccbootcamp.com/groupstudy.html
> (groupstudy member
> > discounts!)
> > > > Voice: 702-968-5100
> > > > FAX: 702-446-8012
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com on behalf of Jason
> Carpenter
> > > > Sent: Sun 4/22/2007 12:12
> > > > To: ccielab@groupstudy.com
> > > > Subject: OSPF authentication
> > > >
> > > > Will this result in OSPF authentication with a
> MD5 hash of password
> > > CISCO
> > > >
> > > > router ospf 1
> > > > area 0 authentication
> > > >
> > > > int s0/0
> > > > ip ospf authentication message-digest
> > > > ip ospf authentication-key CISCO
> > > >
> > > > when I run sh ip ospf int s0/0
> > > > it says message-digest authentication enabled
> > > > no key configured, using default key id 0
> > > >
> > > > as long as the question does not specify a key
> number, (for example
> > > > key 1) would this result in md5 authentication
> with the password
> > > > CISCO?
> > > >
> > > > Thanks
> > > >
> > > >
> >
>

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:37 ART