Re: VTP MD5 hash changes

From: Muhabat Khan (muhabat@gmail.com)
Date: Mon Dec 29 2008 - 08:23:56 ARST

• Next message: Muhabat Khan: "Re: VTP MD5 hash changes"
• Previous message: Carlos G Mendioroz: "Re: VTP MD5 hash changes"
• Maybe in reply to: Muhabat Khan: "VTP MD5 hash changes"
• Next in thread: Muhabat Khan: "Re: VTP MD5 hash changes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

First of all hashes are "always" a one way process... it means you can
create a hash from Secret but it is not possible (or near to impossible) to
obtain Secret from hash, unless some one is trying brute force
or dictionary attacks.
AFAIK if two hashes don't match on two switches then both will not sync
(server/client mode), if hash depends upon whole config of vtp then how both
switches will sync... May be i am missing some thing.

from Cisco

VTP Password

If you configure a password for VTP, you must configure the password on all
switches in the VTP domain. The password must be the same password on all
those switches. The VTP password that you configure is translated by
algorithm into a 16-byte word (MD5 value) that is carried in all
summary-advertisement VTP packets.

http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml

On Mon, Dec 29, 2008 at 1:13 PM, Carlos G Mendioroz <tron@huapi.ba.ar>wrote:

> If the hash only depended on the password, then just considering
> password + hash the "password" would render the whole hash thing
> useless (Just a longer password).
>
> Hashes usually cover more than the "secret", and are used to bring
> authenticity to the data, not to mention an easy way to tell if
> something has changed. To that extent may be that the hash covers
> AFAIK all the vtp config...
>
> -Carlos
>
> Muhabat Khan @ 29/12/2008 8:05 -0200 dixit:
> > In switches, VTP MD5 Hash (or MD5 digest) is derived from password. for
> > successful interswitch vtp information synchronization. These two values
> > should match else both swiches (server/client mode) will not sync with
> > each other as each packet has this hash value and only other switch will
> > accept information if hash value of receiving packet matches with its
> > own hash value.
> > Theoretically these Hash values should be changed only changing after
> > password but in this case hash value is being derived from
> > password+domain name.... quite strange.
> >
> > two hash values are.........
> >
> > MD5 digest : 0x13 0x95 0x3A 0xE0 0xED 0x65 0x5E 0x18
> > MD5 digest : 0xC1 0x76 0xED 0x05 0x05 0x70 0x10 0xC1
> >
> >
> >
> > On Mon, Dec 29, 2008 at 12:47 PM, Carlos G Mendioroz <tron@huapi.ba.ar
> > <mailto:tron@huapi.ba.ar>> wrote:
> >
> > What is a hash ?
> >
> > Muhabat Khan @ 29/12/2008 6:49 -0200 dixit:
> > > Hi GS,
> > > when i change a vtp domain name then hash value on switch also
> > changes....
> > > is this normal behavior? BTW i am using dynamips NM-16ESW switch.
> > >
> > > Please see below output.
> > >
> > > Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
> > > sw2(config)#do sh vtp status
> > > VTP Version : 2
> > > Configuration Revision : 0
> > > Maximum VLANs supported locally : 36
> > > Number of existing VLANs : 5
> > > VTP Operating Mode : Client
> > > VTP Domain Name : null
> > > VTP Pruning Mode : Disabled
> > > VTP V2 Mode : Disabled
> > > VTP Traps Generation : Disabled
> > > MD5 digest : 0x13 0x95 0x3A 0xE0 0xED 0x65
> > 0x5E 0x18
> > > Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
> > > sw2(config)#vtp
> > > sw2(config)#vtp do
> > > sw2(config)#vtp domain CCIE
> > > Changing VTP domain name from null to CCIE
> > > sw2(config)#do sh vtp status
> > > VTP Version : 2
> > > Configuration Revision : 0
> > > Maximum VLANs supported locally : 36
> > > Number of existing VLANs : 5
> > > VTP Operating Mode : Client
> > > VTP Domain Name : CCIE
> > > VTP Pruning Mode : Disabled
> > > VTP V2 Mode : Disabled
> > > VTP Traps Generation : Disabled
> > > MD5 digest : 0xC1 0x76 0xED 0x05 0x05 0x70
> > 0x10 0xC1
> > > Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > --
> > Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > LW7 EQI Argentina
> >
> >
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina

Blogs and organic groups at http://www.ccie.net

• Next message: Muhabat Khan: "Re: VTP MD5 hash changes"
• Previous message: Carlos G Mendioroz: "Re: VTP MD5 hash changes"
• Maybe in reply to: Muhabat Khan: "VTP MD5 hash changes"
• Next in thread: Muhabat Khan: "Re: VTP MD5 hash changes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:10 ARST