RE: OSPF authentication [html-rem]

From: Scott Morris (smorris@ipexpert.com)
Date: Mon Apr 23 2007 - 08:16:05 ART

• Next message: quang truong: "test"
• Previous message: Abderrahim sadki: "class based shaping- Tc calculation"
• Maybe in reply to: Victor Cappuccio: "RE: OSPF authentication [html-rem]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Because virtual links are considered to be part of area 0, but they aren't
really an "interface" as far as Cisco logic goes.

Virtual links really highlight the differences that others have been
discussing (or what was quietly pointed out earlier) that the RFC does not
make any mention of true "area" authentication. Cisco simply created a
shortcut to turn on authentication for all interfaces belonging to whatever
area you specify.

But in programming logic, virtual links don't fall into that category of an
"interface" so they are not tagged as participating. That's why you will
have to manually specify the authentication on the virtual link command
line. Part of the programming says "yes, it's required", another part
missed enabling it.

If you had simply started with putting the commands on each and every
interface, you COULD not enable authentication on your virtual links (you'd
lose points though in the lab).

It's one of those greyish areas of making all these things work! :)

HTH,

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPexpert VP - Curriculum Development
IPexpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
sirisak chantanate
Sent: Monday, April 23, 2007 3:22 AM
To: 'Narbik Kocharians'; 'Victor Cappuccio'
Cc: 'Jason Carpenter'; ccielab@groupstudy.com
Subject: RE: OSPF authentication [html-rem]

Hi all.
 When we use OSPF authentication within Area 0, why do we have to enable
authentication on Virtual Link???

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Narbik Kocharians
Sent: Monday, April 23, 2007 1:00 PM
To: Victor Cappuccio
Cc: Jason Carpenter; ccielab@groupstudy.com
Subject: Re: OSPF authentication [html-rem]

No problems Victor, this is what we were discussing, that ospf does have
"area authentication" and you configure that with enabling it under the
"router ospf" process and then you apply it to the interface (This can be
text or MD5).
But some of us still believe that there is no area authentication in OSPF.
If you check the command reference and look under OSPF "area authentication"
you will see that it is the first entry there.
What OSPF does not support is area-base authentication.

On 4/22/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
>
>
> Sorry Narbik, do get your point
>
> You are using the keyword "configure OSPF area authentication"
> Yes.- I can configure that under the routing process and then specify
> the
> MD5 key under the interface, BUT, I can also enable all interfaces
> doing a show ip int brief, and select all interfaces from that
> specific area and enable authentication required
>
> for example...
>
> R1(config-router)#do show ip ospf int brief
> Interface PID Area IP Address/Mask Cost State Nbrs F/C
> Fa0/1 1 0 1.2.12.1/24 1 BDR 1/1
> Fa0/0 1 0 1.1.12.1/24 1 DR 0/0
> Lo0 1 1 1.1.1.1/32 1 LOOP 0/0
> R1(config-router)
> R1(config-router)#int f0/1
> R1(config-if)#ip ospf authen me
> R1(config-if)#ip ospf me 1 md5 cisco
> R1(config-if)#int f0/0
> R1(config-if)#ip ospf authen me
> R1(config-if)#ip ospf me 1 md5 cisco
> R1(config-if)#
>
> or simple
> R1(config-router)#router ospf 1
> R1(config-router)#area 0 authentication me
>
> and then configure the password under the affected interfaces..
>
> So IMHO both solution are doing what requiered, if not sure, I would
> for sure ask the proctor.
>
> Victor.-
>
>
> -----Original Message-----
> From: Narbik Kocharians [mailto:narbikk@gmail.com <narbikk@gmail.com>]
> Sent: Sun 4/22/2007 22:45
> To: Victor Cappuccio
> Cc: Jason Carpenter; ccielab@groupstudy.com
> Subject: Re: OSPF authentication [html-rem]
>
> So you are agreeing that if one is asked to configure OSPF area
> authentication, you should enable it under the router ospf and then
> apply it to the interface?
>
> On 4/22/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
> >
> > Like this...
> >
> > Router(config-if)#do show ip ospf neigh
> >
> > Neighbor ID Pri State Dead Time Address
> > Interface
> > 1.2.12.1 1 FULL/DR 00:00:38 1.2.12.1
> > FastEthernet0/1
> > 1.2.12.1 1 FULL/DR 00:00:33 1.1.12.1
> > FastEthernet0/0
> > Router(config-if)#do show ip ospf inter
> > FastEthernet0/1 is up, line protocol is up
> > Internet Address 1.2.12.2/24, Area 0
> > Process ID 1, Router ID 1.2.12.2, Network Type BROADCAST, Cost: 1
> > Enabled by interface config, including secondary ip addresses
> > Transmit Delay is 1 sec, State BDR, Priority 1
> > Designated Router (ID) 1.2.12.1, Interface address 1.2.12.1
> > Backup Designated router (ID) 1.2.12.2, Interface address 1.2.12.2
> > Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> > oob-resync timeout 40
> > Hello due in 00:00:07
> > Supports Link-local Signaling (LLS)
> > Index 2/2, flood queue length 0
> > Next 0x0(0)/0x0(0)
> > Last flood scan length is 1, maximum is 1
> > Last flood scan time is 0 msec, maximum is 0 msec
> > Neighbor Count is 1, Adjacent neighbor count is 1
> > Adjacent with neighbor 1.2.12.1 (Designated Router)
> > Suppress hello for 0 neighbor(s)
> > FastEthernet0/0 is up, line protocol is up
> > Internet Address 1.1.12.2/24, Area 0
> > Process ID 1, Router ID 1.2.12.2, Network Type BROADCAST, Cost: 1
> > Enabled by interface config, including secondary ip addresses
> > Transmit Delay is 1 sec, State BDR, Priority 1
> > Designated Router (ID) 1.2.12.1, Interface address 1.1.12.1
> > Backup Designated router (ID) 1.2.12.2, Interface address 1.1.12.2
> > Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> > oob-resync timeout 40
> > Hello due in 00:00:07
> > Supports Link-local Signaling (LLS)
> > Index 1/1, flood queue length 0
> > Next 0x0(0)/0x0(0)
> > Last flood scan length is 2, maximum is 2
> > Last flood scan time is 0 msec, maximum is 4 msec
> > Neighbor Count is 1, Adjacent neighbor count is 1
> > Adjacent with neighbor 1.2.12.1 (Designated Router)
> > Suppress hello for 0 neighbor(s)
> > Message digest authentication enabled
> > No key configured, using default key id 0 Router(config-if)#
> >
> >
> > rack11>1
> > [Resuming connection 1 to R1 ... ]
> >
> > *Apr 23 05:39:34.262: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.12.2 on
> > FastEthernet0/0 from LOADING to FULL, Loading Done
> > R1(config-if)#
> > R1(config-if)#router ospf 1
> > R1(config-router)#area 0 authentication message
> > R1(config-router)#do clear ip ospf pro
> > Reset ALL OSPF processes? [no]: yes
> > R1(config-router)#do show ip os
> > *Apr 23 05:40:43.950: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.12.2 on
> > FastEthernet0/1 from FULL to DOWN, Neighbor Down: Interface down or
> detached
> > *Apr 23 05:40:43.950: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.12.2 on
> > FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or
> detached
> > *Apr 23 05:40:44.114: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.12.2 on
> > FastEthernet0/0 from LOADING to FULL, Loading Donepf
> > R1(config-router)#do show ip ospf neigh
> >
> > Neighbor ID Pri State Dead Time Address
> > Interface
> > 1.2.12.2 1 FULL/DR 00:00:37 1.1.12.2
> > FastEthernet0/0
> > R1(config-router)#do show ip ospf neigh
> >
> > Neighbor ID Pri State Dead Time Address
> > Interface
> > 1.2.12.2 1 FULL/DR 00:00:38 1.1.12.2
> > FastEthernet0/0
> > R1(config-router)#do show ip ospf neigh
> >
> > Neighbor ID Pri State Dead Time Address
> > Interface
> > 1.2.12.2 1 FULL/DR 00:00:37 1.1.12.2
> > FastEthernet0/0
> > R1(config-router)#do show ip ospf neigh
> >
> > Neighbor ID Pri State Dead Time Address
> > Interface
> > 1.2.12.2 1 FULL/DR 00:00:36 1.1.12.2
> > FastEthernet0/0
> > R1(config-router)#do show ip ospf neigh
> >
> > Neighbor ID Pri State Dead Time Address
> > Interface
> > 1.2.12.2 1 FULL/DR 00:00:39 1.2.12.2
> > FastEthernet0/1
> > 1.2.12.2 1 FULL/DR 00:00:39 1.1.12.2
> > FastEthernet0/0
> > R1(config-router)#
> > *Apr 23 05:40:52.910: %OSPF-5-ADJCHG: Process 1, Nbr 1.2.12.2 on
> > FastEthernet0/1 from LOADING to FULL, Loading Donedo show ip ospf neigh
> >
> > Neighbor ID Pri State Dead Time Address
> > Interface
> > 1.2.12.2 1 FULL/DR 00:00:39 1.2.12.2
> > FastEthernet0/1
> > 1.2.12.2 1 FULL/DR 00:00:38 1.1.12.2
> > FastEthernet0/0
> > R1(config-router)#
> >
> >
> >
> > HTH
> >
> > thanks,
> > Victor Cappuccio.-
> > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> > Cisco Learning credits!
> > victor@ccbootcamp.com
> > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> > http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> > Voice: 702-968-5100
> > FAX: 702-446-8012
> >
> >
> >
> >
> > -----Original Message-----
> > From: Narbik Kocharians [mailto:narbikk@gmail.com <narbikk@gmail.com> <
> narbikk@gmail.com>]
> > Sent: Sun 4/22/2007 22:28
> > To: Victor Cappuccio
> > Cc: Jason Carpenter; ccielab@groupstudy.com
> > Subject: Re: OSPF authentication [html-rem]
> >
> > How is that related to "area authentication" and per interface
> > authentication?
> >
> > On 4/22/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
> > >
> > > Hi Jason,
> > >
> > > http://www.faqs.org/rfcs/rfc2328.html
> > >
> > > D. Authentication
> > >
> > > All OSPF protocol exchanges are authenticated. The OSPF packet
> > > header (see Section A.3.1) includes an authentication type field,
> > > and 64-bits of data for use by the appropriate authentication scheme
> > > (determined by the type field).
> > >
> > > The authentication type is configurable on a per-interface (or
> > > equivalently, on a per-network/subnet) basis. --- seems that in Cisco
> > > implementation this is using the routing process --- Additional
> > > authentication data is also configurable on a per-interface basis --
> ip
> > > ospf
> > > authentication command under the interface running OSPF :) ..
> > >
> > > Authentication types 0, 1 and 2 are defined by this specification.
> > > All other authentication types are reserved for definition by the
> > > IANA (iana@ISI.EDU). The current list of authentication types is
> > > described below in Table 20.
> > >
> > > AuType Description
> > > ___________________________________________
> > > 0 Null authentication
> > > 1 Simple password
> > > 2 Cryptographic authentication
> > > All others Reserved for assignment by the
> > > IANA (iana@ISI.EDU)
> > >
> > >
> > >
> > > in the Message generation D.4 After building the contents of an OSPF
> > > packet,
> > > the authentication procedure indicated by the sending interface's
> Autype
> > > value
> > > is called before the packet is sent. The authentication procedure
> > > modifies
> > > the OSPF packet as follows.
> > >
> > > D.4.1 Generating Null authentication
> > >
> > > When using Null authentication, the packet is modified as
> > > follows:
> > >
> > > (1) The Autype field in the standard OSPF header is set to
> > > 0.
> > >
> > > Hope this helps
> > >
> > > Just my 2 cents more
> > >
> > > thanks,
> > > Victor Cappuccio.-
> > > Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We
> take
> > > Cisco Learning credits!
> > > victor@ccbootcamp.com
> > > http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> > > http://www.ccbootcamp.com/groupstudy.html (groupstudy member
> discounts!)
> > > Voice: 702-968-5100
> > > FAX: 702-446-8012
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com on behalf of Jason Carpenter
> > > Sent: Sun 4/22/2007 12:12
> > > To: ccielab@groupstudy.com
> > > Subject: OSPF authentication
> > >
> > > Will this result in OSPF authentication with a MD5 hash of password
> > CISCO
> > >
> > > router ospf 1
> > > area 0 authentication
> > >
> > > int s0/0
> > > ip ospf authentication message-digest
> > > ip ospf authentication-key CISCO
> > >
> > > when I run sh ip ospf int s0/0
> > > it says message-digest authentication enabled
> > > no key configured, using default key id 0
> > >
> > > as long as the question does not specify a key number, (for example
> > > key 1) would this result in md5 authentication with the password
> > > CISCO?
> > >
> > > Thanks
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> >
> > --
> > Narbik Kocharians
> > CCIE# 12410 (R&S, SP, Security)
> > CCSI# 30832
> > Network Learning, Inc. (CCIE class Instructor)
> > www.ccbootcamp.com (CCIE Training)
> >
> >
>
>
> --
> Narbik Kocharians
> CCIE# 12410 (R&S, SP, Security)
> CCSI# 30832
> Network Learning, Inc. (CCIE class Instructor)
> www.ccbootcamp.com (CCIE Training)
>
>

-- 
Narbik Kocharians
CCIE# 12410 (R&S, SP, Security)
CCSI# 30832
Network Learning, Inc. (CCIE class Instructor)
www.ccbootcamp.com (CCIE Training)

• Next message: quang truong: "test"
• Previous message: Abderrahim sadki: "class based shaping- Tc calculation"
• Maybe in reply to: Victor Cappuccio: "RE: OSPF authentication [html-rem]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:37 ART