Re: VTP MD5 hash changes

From: Muhabat Khan (muhabat@gmail.com)
Date: Mon Dec 29 2008 - 09:01:55 ARST

i am really confused about this strange behavior.... SW1 and SW2 are
not synchronizing....
SW1

sw1#sh vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 36
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : myown
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xE5 0x45 0xEF 0x90 0x22 0x26 0x46 0xD5
Configuration last modified by 0.0.0.0 at 3-1-02 00:05:32
Local updater ID is 0.0.0.0 (no valid interface found)
sw1#
sw1#sh inter trunk

Port Mode Encapsulation Status Native vlan
Fa1/9 on 802.1q trunking 1
Fa1/10 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/9 1-4094
Fa1/10 1-4094

Port Vlans allowed and active in management domain
Fa1/9 1,10,20,30
Fa1/10 1,10,20,30

Port Vlans in spanning tree forwarding state and not pruned
Fa1/9 1,10,20,30
Fa1/10 1,10,20,30
sw1#
sw1#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
sw2 Fas 1/10 155 R S I 3725 Fas 1/10
sw2 Fas 1/9 155 R S I 3725 Fas 1/9
sw1#
sw1#sh vtp pass
VTP Password: CISCO
sw1#

SW2

sw2#sh vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 36
Number of existing VLANs : 6
VTP Operating Mode : Client
VTP Domain Name : CCIE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x9C 0xEA 0x9C 0x29 0x31 0x9A 0xBC 0x9F
Configuration last modified by 0.0.0.0 at 3-1-02 00:07:15
sw2#
sw2#sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/9 on 802.1q trunking 1
Fa1/10 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/9 1-4094
Fa1/10 1-4094

Port Vlans allowed and active in management domain
Fa1/9 1,10
Fa1/10 1,10

Port Vlans in spanning tree forwarding state and not pruned
Fa1/9 1,10
Fa1/10 none
sw2#
sw2#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
sw1 Fas 1/10 135 R S I 3725 Fas 1/10
sw1 Fas 1/9 135 R S I 3725 Fas 1/9
sw2#
sw2#sh vtp pass
VTP Password: CISCO
sw2#

and no synchronization...................

On Mon, Dec 29, 2008 at 1:50 PM, Carlos G Mendioroz <tron@huapi.ba.ar>wrote:

> Not really.
> What makes the check pass is that the hash computes correctly to
> whatever was transmitted, and that computation is done with the
> received data plus stored secret.
>
> So if you change the domain, the client is expecting the hash to change!
>
> -Carlos
>
> Muhabat Khan @ 29/12/2008 8:44 -0200 dixit:
> > IF YES, then here bigger issue comes.... i have sw1 - sw2 back to back
> > connected...
> > sw1 is server and sw2 is client.... both have same domain and password
> > so hash will match.... and both will sync.
> > if i change domain name on sw1 (server) then hash on sw1 will change and
> > will be different than sw2, then sw2 will not get domain change
> > notification from sw1... and vtp sync will be broken.
> >
> > BTW: changing only domain name will not change revision number on sw1,
> > to increase revision number we have to do some thing else, like creating
> > or deleting some dummy vlan. :)
> >
> >
> >
> > On Mon, Dec 29, 2008 at 1:31 PM, Carlos G Mendioroz <tron@huapi.ba.ar
> > <mailto:tron@huapi.ba.ar>> wrote:
> >
> > If the hash was derived from the secret alone, then you would not
> need
> > knowing the secret. Just knowing the hash would be enough to pretend
> > being someone else. That's why you "cover" actual data too.
> >
> >
> > Hash(secret+data) -> x1x2x3x4
> >
> > data / x1x2x3x4 --> tx
> >
> > rx --> data / received hash
> >
> > Hash(secret+data) = rec ?
> OK!
> >
> > No secret (password) is transmitted, but the hash has to "check" for
> > message to be accepted.
> > -Carlos
> >
> > Muhabat Khan @ 29/12/2008 8:23 -0200 dixit:
> > > First of all hashes are "always" a one way process... it means you
> can
> > > create a hash from Secret but it is not possible (or near to
> > impossible)
> > > to obtain Secret from hash, unless some one is trying brute force
> > > or dictionary attacks.
> > >
> > > AFAIK if two hashes don't match on two switches then both will not
> > sync
> > > (server/client mode), if hash depends upon whole config of vtp
> > then how
> > > both switches will sync... May be i am missing some thing.
> > >
> > > from Cisco
> > >
> > >
> > > VTP Password
> > >
> > > If you configure a password for VTP, you must configure the
> > password on
> > > all switches in the VTP domain. The password must be the same
> password
> > > on all those switches. The VTP password that you configure is
> > translated
> > > by algorithm into a 16-byte word (MD5 value) that is carried in all
> > > summary-advertisement VTP packets.
> > >
> > >
> >
> http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml
> > >
> > >
> > > On Mon, Dec 29, 2008 at 1:13 PM, Carlos G Mendioroz
> > <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>> wrote:
> > >
> > > If the hash only depended on the password, then just
> considering
> > > password + hash the "password" would render the whole hash
> thing
> > > useless (Just a longer password).
> > >
> > > Hashes usually cover more than the "secret", and are used to
> bring
> > > authenticity to the data, not to mention an easy way to tell if
> > > something has changed. To that extent may be that the hash
> covers
> > > AFAIK all the vtp config...
> > >
> > > -Carlos
> > >
> > > Muhabat Khan @ 29/12/2008 8:05 -0200 dixit:
> > > > In switches, VTP MD5 Hash (or MD5 digest) is derived from
> > > password. for
> > > > successful interswitch vtp information synchronization.
> > These two
> > > values
> > > > should match else both swiches (server/client mode) will not
> > sync with
> > > > each other as each packet has this hash value and only other
> > > switch will
> > > > accept information if hash value of receiving packet matches
> > with its
> > > > own hash value.
> > > > Theoretically these Hash values should be changed only
> > changing after
> > > > password but in this case hash value is being derived from
> > > > password+domain name.... quite strange.
> > > >
> > > > two hash values are.........
> > > >
> > > > MD5 digest : 0x13 0x95 0x3A 0xE0 0xED
> 0x65
> > > 0x5E 0x18
> > > > MD5 digest : 0xC1 0x76 0xED 0x05 0x05
> 0x70
> > > 0x10 0xC1
> > > >
> > > >
> > > >
> > > > On Mon, Dec 29, 2008 at 12:47 PM, Carlos G Mendioroz
> > > <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>> wrote:
> > > >
> > > > What is a hash ?
> > > >
> > > > Muhabat Khan @ 29/12/2008 6:49 -0200 dixit:
> > > > > Hi GS,
> > > > > when i change a vtp domain name then hash value on
> > switch also
> > > > changes....
> > > > > is this normal behavior? BTW i am using dynamips
> NM-16ESW
> > > switch.
> > > > >
> > > > > Please see below output.
> > > > >
> > > > > Configuration last modified by 0.0.0.0 at 0-0-00
> 00:00:00
> > > > > sw2(config)#do sh vtp status
> > > > > VTP Version : 2
> > > > > Configuration Revision : 0
> > > > > Maximum VLANs supported locally : 36
> > > > > Number of existing VLANs : 5
> > > > > VTP Operating Mode : Client
> > > > > VTP Domain Name : null
> > > > > VTP Pruning Mode : Disabled
> > > > > VTP V2 Mode : Disabled
> > > > > VTP Traps Generation : Disabled
> > > > > MD5 digest : 0x13 0x95 0x3A 0xE0
> > 0xED 0x65
> > > > 0x5E 0x18
> > > > > Configuration last modified by 0.0.0.0 at 0-0-00
> 00:00:00
> > > > > sw2(config)#vtp
> > > > > sw2(config)#vtp do
> > > > > sw2(config)#vtp domain CCIE
> > > > > Changing VTP domain name from null to CCIE
> > > > > sw2(config)#do sh vtp status
> > > > > VTP Version : 2
> > > > > Configuration Revision : 0
> > > > > Maximum VLANs supported locally : 36
> > > > > Number of existing VLANs : 5
> > > > > VTP Operating Mode : Client
> > > > > VTP Domain Name : CCIE
> > > > > VTP Pruning Mode : Disabled
> > > > > VTP V2 Mode : Disabled
> > > > > VTP Traps Generation : Disabled
> > > > > MD5 digest : 0xC1 0x76 0xED 0x05
> > 0x05 0x70
> > > > 0x10 0xC1
> > > > > Configuration last modified by 0.0.0.0 at 0-0-00
> 00:00:00
> > > > >
> > > > >
> > > > > Blogs and organic groups at http://www.ccie.net
> > > > >
> > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > --
> > > > Carlos G Mendioroz <tron@huapi.ba.ar
> > <mailto:tron@huapi.ba.ar>
> > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>>
> > > > LW7 EQI Argentina
> > > >
> > > >
> > >
> > > --
> > > Carlos G Mendioroz <tron@huapi.ba.ar
> > <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar
> > <mailto:tron@huapi.ba.ar>>>
> > > LW7 EQI Argentina
> > >
> > >
> >
> > --
> > Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > LW7 EQI Argentina
> >
> >
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:10 ARST