RE: ospf authentication

Hi Aaron

when doing authentication with the OSPF. keep 2 points in your mind.

1. enabling the authentication ( this is first step )
2. defining the password Null,Clear, MD5.

if you enable the authentication on both side using authentication command it
enable the authentication, OSPF will work
after that you need to define authentication password.
if you want to understand more about it. check the INE 4.0 videos in which
Brain describe this very well :)

Br

Roy

> From: markom_at_ipexpert.com
> Date: Sun, 11 Mar 2012 11:57:33 -0700
> Subject: Re: ospf authentication
> To: narbikk_at_gmail.com
> CC: negron.paul_at_gmail.com; bmcgahan_at_ine.com; aaron1_at_gvtc.com;
ccielab_at_groupstudy.com
>
> My understanding is irrelevant, really, as I fully understand how it
> works. But as I wrote in my message - I think it's important to
> understand that OSPF authentication is a 2-stage process when
> troubleshooting problems.
>
> --
> Marko Milivojevic - CCIE #18427 (SP R&S)
> Senior CCIE Instructor - IPexpert
>
> On Sun, Mar 11, 2012 at 11:49, Narbik Kocharians <narbikk_at_gmail.com> wrote:
> > I don't think anyone took cheap shots, read this and tell me what your
> > understanding is:
> >
> >
> > This is what the RFC (2328 page 227) states, it clearly states that there
is
> > no authentication:
> >
> >
> >
> >
> >
> > B B B D.1 Null authentication
> >
> >
> >
> > B B B B B B B Use of this authentication type means that routing
exchanges
> >
> > B B B B B B B over the network/subnet are not authenticated.B The
64-bit
> >
> > B B B B B B B authentication field in the OSPF header can contain
anything; it
> >
> > B B B B B B B is not examined on packet reception. When employing Null
> >
> > B B B B B B B authentication, the entire contents of each OSPF packet
(other
> >
> > B B B B B B B than the 64-bit authentication field) are checksummed in
order
> >
> > B B B B B B B to detect data corruption.
> >
> >
> > On Sun, Mar 11, 2012 at 11:17 AM, Marko Milivojevic <markom_at_ipexpert.com>
> > wrote:
> >>
> >> In fact, if you wanted to simplify the things, that's exactly how it
> >> should be understood.
> >>
> >> --
> >> Marko Milivojevic - CCIE #18427 (SP R&S)
> >> Senior CCIE Instructor - IPexpert
> >>
> >> On Sun, Mar 11, 2012 at 10:37, Paul Negron <negron.paul_at_gmail.com>
wrote:
> >> > Brian,
> >> >
> >> > If null is the type and "0"is technically the value.
> >> >
> >> > Then is it true that we have 5 types of authentication...TECHNICALLY?
> >> >
> >> >
> >> > Null- with value 0
> >> > Simple password - with no value
> >> > Simple Password- with value
> >> > Cryptographic- with no value
> >> > Cryptographic- with value
> >> >
> >> > This would confuse the issue considerably with everything written on
the
> >> > subject.
> >> >
> >> > Paul
> >> >
> >> > --
> >> > Paul Negron
> >> > CCIE# 14856 CCSI# 22752
> >> > Senior Technical Instructor
> >> >
> >> >
> >> >
> >> >> From: Brian McGahan <bmcgahan_at_ine.com>
> >> >> Reply-To: Brian McGahan <bmcgahan_at_ine.com>
> >> >> Date: Sun, 11 Mar 2012 10:49:36 -0500
> >> >> To: Narbik Kocharians <narbikk_at_gmail.com>
> >> >> Cc: Aaron <aaron1_at_gvtc.com>, CCIE GROUPSTUDY <ccielab_at_groupstudy.com>
> >> >> Conversation: ospf authentication
> >> >> Subject: Re: ospf authentication
> >> >>
> >> >> This isn't saying what you're saying: http://goo.gl/SmxY2
> >> >>
> >> >>
> >> >> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> >> >> bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>
> >> >>
> >> >> Internetwork Expert, Inc.
> >> >> http://www.INE.com
> >> >>
> >> >> On Mar 11, 2012, at 3:33 AM, "Narbik Kocharians"
> >> >> <narbikk_at_gmail.com<mailto:narbikk_at_gmail.com>> wrote:
> >> >>
> >> >> Brian,
> >> >>
> >> >> This is not saying what you are stating:
> >> >>
> >> >>
> >> >>
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186
a
> >> >> 0080094069.shtml
> >> >>
> >> >> On Sat, Mar 10, 2012 at 11:56 PM, Brian McGahan
> >> >> <bmcgahan_at_ine.com<mailto:bmcgahan_at_ine.com>> wrote:
> >> >> Technically NULL authentication means you are authenticating with any
> >> >> arbitrary string. B If you read the OSPF specification
> >> >> (http://www.ietf.org/rfc/rfc2328.txt) is gives more detail:
> >> >>
> >> >> D. Authentication
> >> >>
> >> >> B B All OSPF protocol exchanges are authenticated. B The OSPF packet
> >> >> B B header (see Section A.3.1) includes an authentication type
field,
> >> >> B B and 64-bits of data for use by the appropriate authentication
scheme
> >> >> B B (determined by the type field).
> >> >>
> >> >> B B The authentication type is configurable on a per-interface (or
> >> >> B B equivalently, on a per-network/subnet) basis. B Additional
> >> >> B B authentication data is also configurable on a per-interface
basis.
> >> >>
> >> >> B B Authentication types 0, 1 and 2 are defined by this
specification.
> >> >> B B All other authentication types are reserved for definition by
the
> >> >> B B IANA (iana_at_ISI.EDU<mailto:iana_at_ISI.EDU>). B The current list of
> >> >> authentication types is
> >> >> B B described below in Table 20.
> >> >>
> >> >>
> >> >>
> >> >> B B B B B B B B B AuType B B B Description
> >> >> B B B B B B B B B ___________________________________________
> >> >> B B B B B B B B B 0 B B B B B B Null authentication
> >> >> B B B B B B B B B 1 B B B B B B Simple password
> >> >> B B B B B B B B B 2 B B B B B B Cryptographic
authentication
> >> >> B B B B B B B B B All others B Reserved for assignment by
the
> >> >> B B B B B B B B B B B B B B B IANA
(iana_at_ISI.EDU<mailto:iana_at_ISI.EDU>)
> >> >> <snip>
> >> >>
> >> >> "NULL" authentication is technically not "no" authentication, but in
> >> >> reality
> >> >> it means the same thing. B The key point is that there is a
difference
> >> >> between
> >> >> then negotiation of the authentication *type* and the authentication
> >> >> *key*.
> >> >>
> >> >> Both the authentication types and keys can be NULL. B Even though
"NULL"
> >> >> is a
> >> >> zero value, it still counts as a value. B This is why if you
configure
> >> >> two
> >> >> routers to authenticate each other with MD5 (Type 2) authentication,
> >> >> but don't
> >> >> set the key, it still works. B This is because they have agreed on
> >> >> Authentication Type 2 (MD5) and Authentication Key NULL.
> >> >>
> >> >>
> >> >> HTH,
> >> >>
> >> >> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> >> >> bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>
> >> >>
> >> >> Internetwork Expert, Inc.
> >> >> http://www.INE.com
> >> >>
> >> >> -----Original Message-----
> >> >> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
> >> >> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On
Behalf
> >> >> Of
> >> >> Narbik Kocharians
> >> >> Sent: Saturday, March 10, 2012 10:24 PM
> >> >> To: Aaron
> >> >> Cc: Joe Astorino; CCIE GROUPSTUDY
> >> >> Subject: Re: ospf authentication
> >> >>
> >> >> Aaron,
> >> >>
> >> >> Remember that the "Ip ospf authentication null" is the command that
is
> >> >> used to
> >> >> *disable* authentication. OSPF authentication can either be none (Or
as
> >> >> Brian
> >> >> called it Null), simple or MD5. The authentication method none
(Null),
> >> >> means
> >> >> that you have *no* authentication.
> >> >>
> >> >>
> >> >> On Sat, Mar 10, 2012 at 5:36 PM, Aaron
> >> >> <aaron1_at_gvtc.com<mailto:aaron1_at_gvtc.com>> wrote:
> >> >>
> >> >>> But that's where it was weird (unless I'm not understanding what you
> >> >>> are saying).
> >> >>>
> >> >>> I did this
> >> >>>
> >> >>> Router ospf 1
> >> >>> Area 0 auth messag
> >> >>>
> >> >>> r6(config-subif)#do sh ip osp | in auth
> >> >>> B B B B Area has message digest authentication
> >> >>>
> >> >>> and it seems that even with that turned on I can neighbor up with
> >> >>> routers and I don't even have to provide a md5 password anywhere. B
Is
> >> >>> that called type 0, 1, or 2? B I'm getting the impression that what
> >> >>> I've done was a half-baked type 2. B In other words it ain't truly
type
> >> >>> 2 md5 auth until the int config "ip osp mess 1 md5 cisco" is
applied.
> >> >>> B True?
> >> >>>
> >> >>> Aaron
> >> >>>
> >> >>>
> >> >>> -----Original Message-----
> >> >>> From: Joe Astorino
> >> >>> [mailto:joeastorino1982_at_gmail.com<mailto:joeastorino1982_at_gmail.com>]
> >> >>> Sent: Saturday, March 10, 2012 7:24 PM
> >> >>> To: Aaron; CCIE GROUPSTUDY
> >> >>> Subject: Re: ospf authentication
> >> >>>
> >> >>> There are 3 types
> >> >>>
> >> >>> NULL, Clear text and MD5. So technically it can work without a
> >> >>> password using NULL authentication type
> >> >>>
> >> >>>
> >> >>>
> >> >>> On 3/10/12, Aaron <aaron1_at_gvtc.com<mailto:aaron1_at_gvtc.com>> wrote:
> >> >>>> Isn't it weird that ospf authentication works even without a
> >> >>>> password?
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> I enabled area 0 authentication and it works, even before I ever
> >> >>>> specify a password anywhere.
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> Aaron
> >> >>>>
> >> >>>>
> >> >>>> Blogs and organic groups at http://www.ccie.net
> >> >>>>
> >> >>>>
Received on Thu Mar 15 2012 - 05:20:53 ART