OSPF authentication is a two step process. The first step is to agree
upon the authentication type. The default type is null (type 0) so
assuming the default configuration, devices will become OSPF neighbors
since as they agree upon the authentication type (type 0). ALL OSPF
devices on a common subnet/segment must agree upon the authentication
type before becoming neighbors. This occurs prior to the actual
authentication.
Step one commands:
Interface Level:
ip ospf authentication null <- type 0
ip ospf authentication <- type 1
ip ospf authentication message-digest <- type 2
Virtual-Link:
area X virtual-link X.X.X.X authentication null <- type 0
area X virtual-link X.X.X.X authentication <- type 1
area X virtual-link X.X.X.X authentication message-digest <- type 2
Process-Level:
area X authentication <- type 1
area X authentication message-digest <- type 2
Interface level commands override commands done at the process level.
in regards to the setting the authentication type you can think of the
default as:
router ospf 1
area X authentication null
That "null" option doesn't actually exist at the process level as it's
the default. The "null" option does exist at the interface level so
that the process level command can be overrode if desired.
The second step is the actual authentication itself. This step involves
agreeing upon the authentication password in the case of plain text
authentication (type 1) or the key and message digest in the case of MD5
(type 2). In the case of Null authentication (type 0) the 64 bit
authentication field is ignored.
Step two commands:
Interface:
ip ospf authentication-key <password>
ip ospf message-digest-key <key id> md5 <password>
Virtual-Link:
area X virtual-link X.X.X.X authentication-key <password>
area X virtual-link X.X.X.X message-digest-key <key id> md5 <password>
Lastly note that step one alone effects the neighbor relationship but
step two only effects the neighbor relationship if step one is successful.
-- Brian Dennis, CCIEx5 #2210 (R&S/ISP-Dial/Security/SP/Voice) bdennis_at_ine.com Internetwork Expert, Inc. http://www.INE.com On 03/10/2012 04:56 PM, Aaron wrote: > Isn't it weird that ospf authentication works even without a password? > > > > I enabled area 0 authentication and it works, even before I ever specify a > password anywhere. > > > > Aaron > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html Blogs and organic groups at http://www.ccie.netReceived on Sat Mar 10 2012 - 18:33:58 ART
This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART