Re: VTP MD5 hash changes

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Mon Dec 29 2008 - 08:50:34 ARST

• Next message: Muhabat Khan: "Re: VTP MD5 hash changes"
• Previous message: Muhabat Khan: "Re: VTP MD5 hash changes"
• Maybe in reply to: Muhabat Khan: "VTP MD5 hash changes"
• Next in thread: Muhabat Khan: "Re: VTP MD5 hash changes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Not really.
What makes the check pass is that the hash computes correctly to
whatever was transmitted, and that computation is done with the
received data plus stored secret.

So if you change the domain, the client is expecting the hash to change!

-Carlos

Muhabat Khan @ 29/12/2008 8:44 -0200 dixit:
> IF YES, then here bigger issue comes.... i have sw1 - sw2 back to back
> connected...
> sw1 is server and sw2 is client.... both have same domain and password
> so hash will match.... and both will sync.
> if i change domain name on sw1 (server) then hash on sw1 will change and
> will be different than sw2, then sw2 will not get domain change
> notification from sw1... and vtp sync will be broken.
>
> BTW: changing only domain name will not change revision number on sw1,
> to increase revision number we have to do some thing else, like creating
> or deleting some dummy vlan. :)
>
>
>
> On Mon, Dec 29, 2008 at 1:31 PM, Carlos G Mendioroz <tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar>> wrote:
>
> If the hash was derived from the secret alone, then you would not need
> knowing the secret. Just knowing the hash would be enough to pretend
> being someone else. That's why you "cover" actual data too.
>
>
> Hash(secret+data) -> x1x2x3x4
>
> data / x1x2x3x4 --> tx
>
> rx --> data / received hash
>
> Hash(secret+data) = rec ? OK!
>
> No secret (password) is transmitted, but the hash has to "check" for
> message to be accepted.
> -Carlos
>
> Muhabat Khan @ 29/12/2008 8:23 -0200 dixit:
> > First of all hashes are "always" a one way process... it means you can
> > create a hash from Secret but it is not possible (or near to
> impossible)
> > to obtain Secret from hash, unless some one is trying brute force
> > or dictionary attacks.
> >
> > AFAIK if two hashes don't match on two switches then both will not
> sync
> > (server/client mode), if hash depends upon whole config of vtp
> then how
> > both switches will sync... May be i am missing some thing.
> >
> > from Cisco
> >
> >
> > VTP Password
> >
> > If you configure a password for VTP, you must configure the
> password on
> > all switches in the VTP domain. The password must be the same password
> > on all those switches. The VTP password that you configure is
> translated
> > by algorithm into a 16-byte word (MD5 value) that is carried in all
> > summary-advertisement VTP packets.
> >
> >
> http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml
> >
> >
> > On Mon, Dec 29, 2008 at 1:13 PM, Carlos G Mendioroz
> <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>> wrote:
> >
> > If the hash only depended on the password, then just considering
> > password + hash the "password" would render the whole hash thing
> > useless (Just a longer password).
> >
> > Hashes usually cover more than the "secret", and are used to bring
> > authenticity to the data, not to mention an easy way to tell if
> > something has changed. To that extent may be that the hash covers
> > AFAIK all the vtp config...
> >
> > -Carlos
> >
> > Muhabat Khan @ 29/12/2008 8:05 -0200 dixit:
> > > In switches, VTP MD5 Hash (or MD5 digest) is derived from
> > password. for
> > > successful interswitch vtp information synchronization.
> These two
> > values
> > > should match else both swiches (server/client mode) will not
> sync with
> > > each other as each packet has this hash value and only other
> > switch will
> > > accept information if hash value of receiving packet matches
> with its
> > > own hash value.
> > > Theoretically these Hash values should be changed only
> changing after
> > > password but in this case hash value is being derived from
> > > password+domain name.... quite strange.
> > >
> > > two hash values are.........
> > >
> > > MD5 digest : 0x13 0x95 0x3A 0xE0 0xED 0x65
> > 0x5E 0x18
> > > MD5 digest : 0xC1 0x76 0xED 0x05 0x05 0x70
> > 0x10 0xC1
> > >
> > >
> > >
> > > On Mon, Dec 29, 2008 at 12:47 PM, Carlos G Mendioroz
> > <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>> wrote:
> > >
> > > What is a hash ?
> > >
> > > Muhabat Khan @ 29/12/2008 6:49 -0200 dixit:
> > > > Hi GS,
> > > > when i change a vtp domain name then hash value on
> switch also
> > > changes....
> > > > is this normal behavior? BTW i am using dynamips NM-16ESW
> > switch.
> > > >
> > > > Please see below output.
> > > >
> > > > Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
> > > > sw2(config)#do sh vtp status
> > > > VTP Version : 2
> > > > Configuration Revision : 0
> > > > Maximum VLANs supported locally : 36
> > > > Number of existing VLANs : 5
> > > > VTP Operating Mode : Client
> > > > VTP Domain Name : null
> > > > VTP Pruning Mode : Disabled
> > > > VTP V2 Mode : Disabled
> > > > VTP Traps Generation : Disabled
> > > > MD5 digest : 0x13 0x95 0x3A 0xE0
> 0xED 0x65
> > > 0x5E 0x18
> > > > Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
> > > > sw2(config)#vtp
> > > > sw2(config)#vtp do
> > > > sw2(config)#vtp domain CCIE
> > > > Changing VTP domain name from null to CCIE
> > > > sw2(config)#do sh vtp status
> > > > VTP Version : 2
> > > > Configuration Revision : 0
> > > > Maximum VLANs supported locally : 36
> > > > Number of existing VLANs : 5
> > > > VTP Operating Mode : Client
> > > > VTP Domain Name : CCIE
> > > > VTP Pruning Mode : Disabled
> > > > VTP V2 Mode : Disabled
> > > > VTP Traps Generation : Disabled
> > > > MD5 digest : 0xC1 0x76 0xED 0x05
> 0x05 0x70
> > > 0x10 0xC1
> > > > Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > --
> > > Carlos G Mendioroz <tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>>
> > > LW7 EQI Argentina
> > >
> > >
> >
> > --
> > Carlos G Mendioroz <tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar>>>
> > LW7 EQI Argentina
> >
> >
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> LW7 EQI Argentina
>
>

-- 
Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net

• Next message: Muhabat Khan: "Re: VTP MD5 hash changes"
• Previous message: Muhabat Khan: "Re: VTP MD5 hash changes"
• Maybe in reply to: Muhabat Khan: "VTP MD5 hash changes"
• Next in thread: Muhabat Khan: "Re: VTP MD5 hash changes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:10 ARST