Technically NULL authentication means you are authenticating with any arbitrary string. If you read the OSPF specification (http://www.ietf.org/rfc/rfc2328.txt) is gives more detail:
D. Authentication
All OSPF protocol exchanges are authenticated. The OSPF packet
header (see Section A.3.1) includes an authentication type field,
and 64-bits of data for use by the appropriate authentication scheme
(determined by the type field).
The authentication type is configurable on a per-interface (or
equivalently, on a per-network/subnet) basis. Additional
authentication data is also configurable on a per-interface basis.
Authentication types 0, 1 and 2 are defined by this specification.
All other authentication types are reserved for definition by the
IANA (iana_at_ISI.EDU). The current list of authentication types is
described below in Table 20.
AuType Description
___________________________________________
0 Null authentication
1 Simple password
2 Cryptographic authentication
All others Reserved for assignment by the
IANA (iana_at_ISI.EDU)
<snip>
"NULL" authentication is technically not "no" authentication, but in reality it means the same thing. The key point is that there is a difference between then negotiation of the authentication *type* and the authentication *key*.
Both the authentication types and keys can be NULL. Even though "NULL" is a zero value, it still counts as a value. This is why if you configure two routers to authenticate each other with MD5 (Type 2) authentication, but don't set the key, it still works. This is because they have agreed on Authentication Type 2 (MD5) and Authentication Key NULL.
HTH,
Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com
Internetwork Expert, Inc.
http://www.INE.com
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Narbik Kocharians
Sent: Saturday, March 10, 2012 10:24 PM
To: Aaron
Cc: Joe Astorino; CCIE GROUPSTUDY
Subject: Re: ospf authentication
Aaron,
Remember that the "Ip ospf authentication null" is the command that is used to *disable* authentication. OSPF authentication can either be none (Or as Brian called it Null), simple or MD5. The authentication method none (Null), means that you have *no* authentication.
On Sat, Mar 10, 2012 at 5:36 PM, Aaron <aaron1_at_gvtc.com> wrote:
> But that's where it was weird (unless I'm not understanding what you
> are saying).
>
> I did this
>
> Router ospf 1
> Area 0 auth messag
>
> r6(config-subif)#do sh ip osp | in auth
> Area has message digest authentication
>
> and it seems that even with that turned on I can neighbor up with
> routers and I don't even have to provide a md5 password anywhere. Is
> that called type 0, 1, or 2? I'm getting the impression that what
> I've done was a half-baked type 2. In other words it ain't truly type
> 2 md5 auth until the int config "ip osp mess 1 md5 cisco" is applied. True?
>
> Aaron
>
>
> -----Original Message-----
> From: Joe Astorino [mailto:joeastorino1982_at_gmail.com]
> Sent: Saturday, March 10, 2012 7:24 PM
> To: Aaron; CCIE GROUPSTUDY
> Subject: Re: ospf authentication
>
> There are 3 types
>
> NULL, Clear text and MD5. So technically it can work without a
> password using NULL authentication type
>
>
>
> On 3/10/12, Aaron <aaron1_at_gvtc.com> wrote:
> > Isn't it weird that ospf authentication works even without a password?
> >
> >
> >
> > I enabled area 0 authentication and it works, even before I ever
> > specify a password anywhere.
> >
> >
> >
> > Aaron
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ____________________________________________________________________
> > __ _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
> --
> Sent from my mobile device
>
> Regards,
>
> Joe Astorino
> CCIE #24347
> http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- *Narbik Kocharians *CCSI#30832, CCIE# 12410 (R&S, SP, Security) *www.MicronicsTraining.com* <http://www.micronicstraining.com/> Sr. Technical Instructor YES! We take Cisco Learning Credits! Training & Remote Racks available Blogs and organic groups at http://www.ccie.netReceived on Sun Mar 11 2012 - 01:56:57 ART
This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART