RE: Knowing when authentication is turned on for a backbone

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Sun Nov 18 2007 - 23:05:36 ART

• Next message: Hugo Viana: "RE: Multicast helper-map - What is wrong with it?"
• Previous message: Joseph Brunner: "RE: Multicast helper-map - What is wrong with it?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

For the answer we head back to a live rack of routers;

I will give you some scenarios and how I solve each...

Consider R6, peering ebgp with BB1 (AS54) in my rack... (I have lowered the
timers to keepalive 3 and holdtime 9)

Router6 has no password configured

BB1 has password configured as CISCO

rack1r6#debug ip bgp
BGP debugging is on
rack1r6#clear ip bgp 54

.Nov 19 01:56:39.450: BGP: 150.1.1.254 open active, delay 23497ms
.Nov 19 01:57:02.949: BGP: 150.1.1.254 open active, local address 150.1.1.6
.Nov 19 01:57:07.949: BGP: 150.1.1.254 open failed: Connection timed out;
remote host not responding

So as you see we are dead in the mud, nothing from BB1... perhaps we should
try any password?

rack1r6(config)#router bgp 65001
rack1r6(config-router)#nei 150.1.1.254 password PASS

rack1r6#clear ip bgp 54

(ah, so we are getting somewhere)

.Nov 19 02:00:52.629: %TCP-6-BADAUTH: Invalid MD5 digest from
150.1.1.254(63259) to 150.1.1.6(179)
.Nov 19 02:00:54.629: %TCP-6-BADAUTH: Invalid MD5 digest from
150.1.1.254(63259) to 150.1.1.6(179)
.Nov 19 02:00:58.627: %TCP-6-BADAUTH: Invalid MD5 digest from
150.1.1.254(63259) to 150.1.1.6(179)
.Nov 19 02:01:06.628: %TCP-6-BADAUTH: Invalid MD5 digest from
150.1.1.254(63259) to 150.1.1.6(179)

Now at least we know BB1 is using AUTHENTICATION...

As it an MD-5 hash sent on the wire, good luck cracking it...

-Joe

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Enyi
Abajue
Sent: Sunday, November 18, 2007 8:16 PM
To: Cisco certification
Subject: Knowing when authentication is turned on for a backbone router

Hello,
Does anyone know how to determine when authentication is configured on a BB
router for a bgp session. I would like to know just in case I can't get a
peer up and somehow a password is required and it was omitted. Is there a
way to determine that authentication is required by a peer?

Thank you.

• Next message: Hugo Viana: "RE: Multicast helper-map - What is wrong with it?"
• Previous message: Joseph Brunner: "RE: Multicast helper-map - What is wrong with it?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART