Re: VTP MD5 hash changes

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Mon Dec 29 2008 - 08:31:21 ARST

• Next message: Muhabat Khan: "Re: VTP MD5 hash changes"
• Previous message: Muhabat Khan: "Re: VTP MD5 hash changes"
• Maybe in reply to: Muhabat Khan: "VTP MD5 hash changes"
• Next in thread: Muhabat Khan: "Re: VTP MD5 hash changes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If the hash was derived from the secret alone, then you would not need
knowing the secret. Just knowing the hash would be enough to pretend
being someone else. That's why you "cover" actual data too.

Hash(secret+data) -> x1x2x3x4

            data / x1x2x3x4 --> tx

                                   rx --> data / received hash

                                           Hash(secret+data) = rec ? OK!

No secret (password) is transmitted, but the hash has to "check" for
message to be accepted.
-Carlos

Muhabat Khan @ 29/12/2008 8:23 -0200 dixit:
> First of all hashes are "always" a one way process... it means you can
> create a hash from Secret but it is not possible (or near to impossible)
> to obtain Secret from hash, unless some one is trying brute force
> or dictionary attacks.
>
> AFAIK if two hashes don't match on two switches then both will not sync
> (server/client mode), if hash depends upon whole config of vtp then how
> both switches will sync... May be i am missing some thing.
>
> from Cisco
>
>
> VTP Password
>
> If you configure a password for VTP, you must configure the password on
> all switches in the VTP domain. The password must be the same password
> on all those switches. The VTP password that you configure is translated
> by algorithm into a 16-byte word (MD5 value) that is carried in all
> summary-advertisement VTP packets.
>
> http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml
>
>
> On Mon, Dec 29, 2008 at 1:13 PM, Carlos G Mendioroz <tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar>> wrote:
>
> If the hash only depended on the password, then just considering
> password + hash the "password" would render the whole hash thing
> useless (Just a longer password).
>
> Hashes usually cover more than the "secret", and are used to bring
> authenticity to the data, not to mention an easy way to tell if
> something has changed. To that extent may be that the hash covers
> AFAIK all the vtp config...
>
> -Carlos
>
> Muhabat Khan @ 29/12/2008 8:05 -0200 dixit:
> > In switches, VTP MD5 Hash (or MD5 digest) is derived from
> password. for
> > successful interswitch vtp information synchronization. These two
> values
> > should match else both swiches (server/client mode) will not sync with
> > each other as each packet has this hash value and only other
> switch will
> > accept information if hash value of receiving packet matches with its
> > own hash value.
> > Theoretically these Hash values should be changed only changing after
> > password but in this case hash value is being derived from
> > password+domain name.... quite strange.
> >
> > two hash values are.........
> >
> > MD5 digest : 0x13 0x95 0x3A 0xE0 0xED 0x65
> 0x5E 0x18
> > MD5 digest : 0xC1 0x76 0xED 0x05 0x05 0x70
> 0x10 0xC1
> >
> >
> >
> > On Mon, Dec 29, 2008 at 12:47 PM, Carlos G Mendioroz
> <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>> wrote:
> >
> > What is a hash ?
> >
> > Muhabat Khan @ 29/12/2008 6:49 -0200 dixit:
> > > Hi GS,
> > > when i change a vtp domain name then hash value on switch also
> > changes....
> > > is this normal behavior? BTW i am using dynamips NM-16ESW
> switch.
> > >
> > > Please see below output.
> > >
> > > Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
> > > sw2(config)#do sh vtp status
> > > VTP Version : 2
> > > Configuration Revision : 0
> > > Maximum VLANs supported locally : 36
> > > Number of existing VLANs : 5
> > > VTP Operating Mode : Client
> > > VTP Domain Name : null
> > > VTP Pruning Mode : Disabled
> > > VTP V2 Mode : Disabled
> > > VTP Traps Generation : Disabled
> > > MD5 digest : 0x13 0x95 0x3A 0xE0 0xED 0x65
> > 0x5E 0x18
> > > Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
> > > sw2(config)#vtp
> > > sw2(config)#vtp do
> > > sw2(config)#vtp domain CCIE
> > > Changing VTP domain name from null to CCIE
> > > sw2(config)#do sh vtp status
> > > VTP Version : 2
> > > Configuration Revision : 0
> > > Maximum VLANs supported locally : 36
> > > Number of existing VLANs : 5
> > > VTP Operating Mode : Client
> > > VTP Domain Name : CCIE
> > > VTP Pruning Mode : Disabled
> > > VTP V2 Mode : Disabled
> > > VTP Traps Generation : Disabled
> > > MD5 digest : 0xC1 0x76 0xED 0x05 0x05 0x70
> > 0x10 0xC1
> > > Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > --
> > Carlos G Mendioroz <tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar>>>
> > LW7 EQI Argentina
> >
> >
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> LW7 EQI Argentina
>
>

-- 
Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net

• Next message: Muhabat Khan: "Re: VTP MD5 hash changes"
• Previous message: Muhabat Khan: "Re: VTP MD5 hash changes"
• Maybe in reply to: Muhabat Khan: "VTP MD5 hash changes"
• Next in thread: Muhabat Khan: "Re: VTP MD5 hash changes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:10 ARST