Re: Issue with OSPF authentication using different MD5 keys

From: Toh Soon, Lim (tohsoon28@gmail.com)
Date: Sat Sep 22 2007 - 23:00:04 ART

• Next message: Joseph Saad: "Re: Smurf Attack"
• Previous message: Joseph Brunner: "RE: General Redistribution Question"
• Maybe in reply to: Brian Dennis: "Re: Issue with OSPF authentication using different MD5 keys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Brian,

Thanks for your reply. I have added the command "neighbor 136.10.100.2"
under the OSPF process of R5 and R6. 136.10.100.2 is the address of the hub
R2. The neighbor statements on R2 pointing to R5 & R6 remain.

At first it didn't work. R2-R5 adjacency is up but not R2-R6. I have to
remove key 6 on R2 and configure it back before the R2-R6 adjacency is up.
Did I miss anything? Is this normal?

The issue persists after a reload of the 3 routers. I have to repeat the
same steps (i.e. remove and add back key 6 on R2) to get it work.

For OSPF NBMA mode and in this case P2MP NB mode, I typically define
neighbor statements only on the hub router. Should that be sufficient? It's
been working fine for all scenarios until I encounter this multiple
authentication keys scenario which you advised to configure neighbor
statements on the spokes as well.

Thank you.

B.Rgds,
Lim TS

On 9/22/07, Brian Dennis <bdennis@internetworkexpert.com> wrote:
>
> On R6 add the neighbor command pointing to the hub under the OSPF process.
> Below is the rule of thumb that you want to remember with this
> configuration (multiple keys over an OSPF non-broadcast network):
>
> When using multiple keys over a non-broadcast network (OSPF) you should
> also configure the neighbor command on the spokes along with the neighbors
> on the hub (see note below). This is technically only needed on the spoke
> that is configured without the "youngest" key. The hub will by default send
> hellos using the "youngest" key (key 5 in your case) and the spoke that is
> using the "non-youngest" (key 6 in your case) key will ignore the hellos
> from the hub due to the key mismatch. You need to ensure that R6 can send
> hellos using it's configured key so that R5 can detect it and start using
> key 6 with R6. By default of course R6 is non-broadcast which means it
> can't initiate it's own hellos.
>
>
> As a side note you can possibly get this to work without the neighbor
> command but it will not survive a reload.
>
>
> * Note - Technically you could just configure the neighbor command on the
> spokes and leave them off the hub.
>
>
> HTH,
>
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> *bdennis@internetworkexpert.com*** <bdennis@internetworkexpert.com>
>
>
> Internetwork Expert, Inc.
> *http://www.InternetworkExpert.com*** <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> On Sep 21, 2007, at 9:01 PM, Toh Soon, Lim wrote:
>
> Hi Group,
>
>
> I'm having a little problem getting OSPF authentication to work using
> different md5 keys for different neighbors over frame relay.
>
>
> R2 is the hub. Spokes are R5 and R6. OSPF P2MP non-broadcast mode is
> configured. R5's shared key is r5key and R6's shared key is r6key.
>
>
> R2 Config
> ---------
> !
> interface Serial0/0/0.56 multipoint
> description *** FR Connection to R5,R6 ***
> ip address 136.10.100.2 255.255.255.224
> ip ospf authentication message-digest
> ip ospf message-digest-key 6 md5 r6key
> ip ospf message-digest-key 5 md5 r5key
> ip ospf network point-to-multipoint non-broadcast
> frame-relay map ip 136.10.100.5 105 broadcast
> frame-relay map ip 136.10.100.6 106 broadcast
> no frame-relay inverse-arp
> !
> router ospf 1
> network 136.10.100.2 0.0.0.0 area 0
> neighbor 136.10.100.6
> neighbor 136.10.100.5
> !
>
>
> R5 Config
> ---------
> !
> interface Serial0/0/0
> description *** FR Connection to R2 ***
> ip address 136.10.100.5 255.255.255.224
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 5 md5 r5key
> ip ospf network point-to-multipoint non-broadcast
> frame-relay map ip 136.10.100.2 501 broadcast
> no frame-relay inverse-arp
> !
> router ospf 1
> network 136.10.100.5 0.0.0.0 area 0
> !
>
>
> R6 Config
> ---------
> !
> interface Serial0/0/0
> description *** FR Connection to R2 ***
> ip address 136.10.100.6 255.255.255.224
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 6 md5 r6key
> ip ospf network point-to-multipoint non-broadcast
> frame-relay map ip 136.10.100.2 601 broadcast
> no frame-relay inverse-arp
> !
> router ospf 1
> network 136.10.100.6 0.0.0.0 area 0
> !
>
>
>
>
> R2 and R5 have full adjacency. Full adjacency between R2 and R6 cannot be
> established.
>
>
> Outputs of "deb ip os adj" on R2 show:
>
>
> OSPF: Send with youngest Key 5
>
>
> Outputs of "deb ip os adj" on R6 show:
>
>
> OSPF: Rcv pkt from 136.10.100.2, Serial0/0/0 : Mismatch Authentication Key
> -
> No message digest key 5 on interface
> OSPF: Send with youngest Key 6
>
>
>
>
> I'm expecting R2 to send multiple copies of OSPF packets, each
> authenticated
> by the two keys, to R5 and R6. At least that's what I understood on DocCD
> OSPF Command Ref. From the debug outputs, it seems that R2 only uses key
> 5.
>
>
> Can anyone suggest how to work around this issue so that the task can be
> achieved?
>
>
>
>
> Many thanks.
>
>
> B.Rgds,
> Lim TS
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> htt

• Next message: Joseph Saad: "Re: Smurf Attack"
• Previous message: Joseph Brunner: "RE: General Redistribution Question"
• Maybe in reply to: Brian Dennis: "Re: Issue with OSPF authentication using different MD5 keys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:15 ART