Re: VTP MD5 hash changes

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Mon Dec 29 2008 - 09:07:33 ARST


What do you mean by synchronizing ?
For a client to trust a server and copy its vlan info, it has to be
in the same domain. It follows that if you change the server domain,
the client, which is now in another domain, will not keep the synch.

This rule ONLY breaks if the client domain is "null", in which case
the client will blindfully believe whatever domain it hears in the
first vtp message, and use that from that point on.

-Carlos

Muhabat Khan @ 29/12/2008 9:01 -0200 dixit:
> i am really confused about this strange behavior.... SW1 and SW2 are
> not synchronizing....
>
> SW1
>
> sw1#sh vtp status
> VTP Version : 2
> Configuration Revision : 2
> Maximum VLANs supported locally : 36
> Number of existing VLANs : 8
> VTP Operating Mode : Server
> VTP Domain Name : myown
> VTP Pruning Mode : Disabled
> VTP V2 Mode : Disabled
> VTP Traps Generation : Disabled
> MD5 digest : 0xE5 0x45 0xEF 0x90 0x22 0x26 0x46 0xD5
> Configuration last modified by 0.0.0.0 at 3-1-02 00:05:32
> Local updater ID is 0.0.0.0 (no valid interface found)
> sw1#
> sw1#sh inter trunk
>
> Port Mode Encapsulation Status Native vlan
> Fa1/9 on 802.1q trunking 1
> Fa1/10 on 802.1q trunking 1
>
> Port Vlans allowed on trunk
> Fa1/9 1-4094
> Fa1/10 1-4094
>
> Port Vlans allowed and active in management domain
> Fa1/9 1,10,20,30
> Fa1/10 1,10,20,30
>
> Port Vlans in spanning tree forwarding state and not pruned
> Fa1/9 1,10,20,30
> Fa1/10 1,10,20,30
> sw1#
> sw1#sh cdp nei
> Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
> S - Switch, H - Host, I - IGMP, r - Repeater
>
> Device ID Local Intrfce Holdtme Capability Platform Port ID
> sw2 Fas 1/10 155 R S I 3725 Fas 1/10
> sw2 Fas 1/9 155 R S I 3725 Fas 1/9
> sw1#
> sw1#sh vtp pass
> VTP Password: CISCO
> sw1#
>
> SW2
>
> sw2#sh vtp status
> VTP Version : 2
> Configuration Revision : 1
> Maximum VLANs supported locally : 36
> Number of existing VLANs : 6
> VTP Operating Mode : Client
> VTP Domain Name : CCIE
> VTP Pruning Mode : Disabled
> VTP V2 Mode : Disabled
> VTP Traps Generation : Disabled
> MD5 digest : 0x9C 0xEA 0x9C 0x29 0x31 0x9A 0xBC 0x9F
> Configuration last modified by 0.0.0.0 at 3-1-02 00:07:15
> sw2#
> sw2#sh int trunk
>
> Port Mode Encapsulation Status Native vlan
> Fa1/9 on 802.1q trunking 1
> Fa1/10 on 802.1q trunking 1
>
> Port Vlans allowed on trunk
> Fa1/9 1-4094
> Fa1/10 1-4094
>
> Port Vlans allowed and active in management domain
> Fa1/9 1,10
> Fa1/10 1,10
>
> Port Vlans in spanning tree forwarding state and not pruned
> Fa1/9 1,10
> Fa1/10 none
> sw2#
> sw2#sh cdp nei
> Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
> S - Switch, H - Host, I - IGMP, r - Repeater
>
> Device ID Local Intrfce Holdtme Capability Platform Port ID
> sw1 Fas 1/10 135 R S I 3725 Fas 1/10
> sw1 Fas 1/9 135 R S I 3725 Fas 1/9
> sw2#
> sw2#sh vtp pass
> VTP Password: CISCO
> sw2#
>
> and no synchronization...................
>
> On Mon, Dec 29, 2008 at 1:50 PM, Carlos G Mendioroz <tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar>> wrote:
>
> Not really.
> What makes the check pass is that the hash computes correctly to
> whatever was transmitted, and that computation is done with the
> received data plus stored secret.
>
> So if you change the domain, the client is expecting the hash to change!
>
> -Carlos
>
> Muhabat Khan @ 29/12/2008 8:44 -0200 dixit:
> > IF YES, then here bigger issue comes.... i have sw1 - sw2 back to back
> > connected...
> > sw1 is server and sw2 is client.... both have same domain and password
> > so hash will match.... and both will sync.
> > if i change domain name on sw1 (server) then hash on sw1 will
> change and
> > will be different than sw2, then sw2 will not get domain change
> > notification from sw1... and vtp sync will be broken.
> >
> > BTW: changing only domain name will not change revision number on sw1,
> > to increase revision number we have to do some thing else, like
> creating
> > or deleting some dummy vlan. :)
> >
> >
> >
> > On Mon, Dec 29, 2008 at 1:31 PM, Carlos G Mendioroz
> <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>> wrote:
> >
> > If the hash was derived from the secret alone, then you would
> not need
> > knowing the secret. Just knowing the hash would be enough to
> pretend
> > being someone else. That's why you "cover" actual data too.
> >
> >
> > Hash(secret+data) -> x1x2x3x4
> >
> > data / x1x2x3x4 --> tx
> >
> > rx --> data / received hash
> >
> > Hash(secret+data) =
> rec ? OK!
> >
> > No secret (password) is transmitted, but the hash has to
> "check" for
> > message to be accepted.
> > -Carlos
> >
> > Muhabat Khan @ 29/12/2008 8:23 -0200 dixit:
> > > First of all hashes are "always" a one way process... it
> means you can
> > > create a hash from Secret but it is not possible (or near to
> > impossible)
> > > to obtain Secret from hash, unless some one is trying brute
> force
> > > or dictionary attacks.
> > >
> > > AFAIK if two hashes don't match on two switches then both
> will not
> > sync
> > > (server/client mode), if hash depends upon whole config of vtp
> > then how
> > > both switches will sync... May be i am missing some thing.
> > >
> > > from Cisco
> > >
> > >
> > > VTP Password
> > >
> > > If you configure a password for VTP, you must configure the
> > password on
> > > all switches in the VTP domain. The password must be the
> same password
> > > on all those switches. The VTP password that you configure is
> > translated
> > > by algorithm into a 16-byte word (MD5 value) that is carried
> in all
> > > summary-advertisement VTP packets.
> > >
> > >
> >
> http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml
> > >
> > >
> > > On Mon, Dec 29, 2008 at 1:13 PM, Carlos G Mendioroz
> > <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>> wrote:
> > >
> > > If the hash only depended on the password, then just
> considering
> > > password + hash the "password" would render the whole
> hash thing
> > > useless (Just a longer password).
> > >
> > > Hashes usually cover more than the "secret", and are
> used to bring
> > > authenticity to the data, not to mention an easy way to
> tell if
> > > something has changed. To that extent may be that the
> hash covers
> > > AFAIK all the vtp config...
> > >
> > > -Carlos
> > >
> > > Muhabat Khan @ 29/12/2008 8:05 -0200 dixit:
> > > > In switches, VTP MD5 Hash (or MD5 digest) is derived from
> > > password. for
> > > > successful interswitch vtp information synchronization.
> > These two
> > > values
> > > > should match else both swiches (server/client mode)
> will not
> > sync with
> > > > each other as each packet has this hash value and only
> other
> > > switch will
> > > > accept information if hash value of receiving packet
> matches
> > with its
> > > > own hash value.
> > > > Theoretically these Hash values should be changed only
> > changing after
> > > > password but in this case hash value is being derived from
> > > > password+domain name.... quite strange.
> > > >
> > > > two hash values are.........
> > > >
> > > > MD5 digest : 0x13 0x95 0x3A 0xE0
> 0xED 0x65
> > > 0x5E 0x18
> > > > MD5 digest : 0xC1 0x76 0xED 0x05
> 0x05 0x70
> > > 0x10 0xC1
> > > >
> > > >
> > > >
> > > > On Mon, Dec 29, 2008 at 12:47 PM, Carlos G Mendioroz
> > > <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>
> > > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>>> wrote:
> > > >
> > > > What is a hash ?
> > > >
> > > > Muhabat Khan @ 29/12/2008 6:49 -0200 dixit:
> > > > > Hi GS,
> > > > > when i change a vtp domain name then hash value on
> > switch also
> > > > changes....
> > > > > is this normal behavior? BTW i am using dynamips
> NM-16ESW
> > > switch.
> > > > >
> > > > > Please see below output.
> > > > >
> > > > > Configuration last modified by 0.0.0.0 at 0-0-00
> 00:00:00
> > > > > sw2(config)#do sh vtp status
> > > > > VTP Version : 2
> > > > > Configuration Revision : 0
> > > > > Maximum VLANs supported locally : 36
> > > > > Number of existing VLANs : 5
> > > > > VTP Operating Mode : Client
> > > > > VTP Domain Name : null
> > > > > VTP Pruning Mode : Disabled
> > > > > VTP V2 Mode : Disabled
> > > > > VTP Traps Generation : Disabled
> > > > > MD5 digest : 0x13 0x95 0x3A
> 0xE0
> > 0xED 0x65
> > > > 0x5E 0x18
> > > > > Configuration last modified by 0.0.0.0 at 0-0-00
> 00:00:00
> > > > > sw2(config)#vtp
> > > > > sw2(config)#vtp do
> > > > > sw2(config)#vtp domain CCIE
> > > > > Changing VTP domain name from null to CCIE
> > > > > sw2(config)#do sh vtp status
> > > > > VTP Version : 2
> > > > > Configuration Revision : 0
> > > > > Maximum VLANs supported locally : 36
> > > > > Number of existing VLANs : 5
> > > > > VTP Operating Mode : Client
> > > > > VTP Domain Name : CCIE
> > > > > VTP Pruning Mode : Disabled
> > > > > VTP V2 Mode : Disabled
> > > > > VTP Traps Generation : Disabled
> > > > > MD5 digest : 0xC1 0x76 0xED
> 0x05
> > 0x05 0x70
> > > > 0x10 0xC1
> > > > > Configuration last modified by 0.0.0.0 at 0-0-00
> 00:00:00
> > > > >
> > > > >
> > > > > Blogs and organic groups at http://www.ccie.net
> > > > >
> > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > --
> > > > Carlos G Mendioroz <tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>>>
> > > > LW7 EQI Argentina
> > > >
> > > >
> > >
> > > --
> > > Carlos G Mendioroz <tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>
> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>>
> > > LW7 EQI Argentina
> > >
> > >
> >
> > --
> > Carlos G Mendioroz <tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar>>>
> > LW7 EQI Argentina
> >
> >
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> LW7 EQI Argentina
>
>

-- 
Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina

Blogs and organic groups at http://www.ccie.net



This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:10 ARST