OSPF MD5 Key Rollover

Unanswered Question

I'm using MD5 auth on a virtual link and need to understand the key rollover process. I initially configured the routers (7206VXR, 12.4(15)T7) as follows:


R3:

router ospf 1

router-id 3.3.3.3

log-adjacency-changes

area 2 virtual-link 4.4.4.4 authentication message-digest

area 2 virtual-link 4.4.4.4 message-digest-key 1 md5 CISCO


R4:

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

area 2 virtual-link 3.3.3.3 authentication message-digest

area 2 virtual-link 3.3.3.3 message-digest-key 1 md5 CISCO


The virtual link came up fine:

R3(config-router)#do sho ip ospf virt

Virtual Link OSPF_VL2 to router 4.4.4.4 is up

Run as demand circuit

DoNotAge LSA allowed.

Transit area 2, via interface Serial1/0.34, Cost of using 64

Transmit Delay is 1 sec, State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Hello due in 00:00:09

Adjacency State FULL (Hello suppressed)

Index 2/3, retransmission queue length 0, number of retransmission 0

First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)

Last retransmission scan length is 0, maximum is 0

Last retransmission scan time is 0 msec, maximum is 0 msec

Message digest authentication enabled

Youngest key id is 1


Then I changed the keys as follows:


R3(config-router)#area 2 virtual-link 4.4.4.4 message-digest-key 2 md5 CCIE


R4(config-router)#area 2 virtual-link 3.3.3.3 message-digest-key 2 md5 CCIE


On both routers:

show ip ospf vir

...

Rollover process begins....


Message digest authentication enabled

Youngest key id is 2

Rollover in progress, 1 neighbor(s) using the old key(s):

key id 1


Then I remove the old keys:

R3(config-router)#no area 2 virtual-link 4.4.4.4 message-digest-key 1

R4(config-router)#no area 2 virtual-link 3.3.3.3 message-digest-key 1


And I still see the rollover process in effect on both routers:

Message digest authentication enabled

Youngest key id is 2

Rollover in progress, 1 neighbor(s) using the old key(s):


The output is the same from both routers. My virtual link is still up and OSPF is functioning correctly. But why am I still getting this message?


A show run confirms that key 1 no longer exists:


router ospf 1

router-id 3.3.3.3

log-adjacency-changes

area 2 virtual-link 4.4.4.4 authentication message-digest

area 2 virtual-link 4.4.4.4 message-digest-key 2 md5 CCIE

network 3.3.3.3 0.0.0.0 area 0

network 30.3.3.3 0.0.0.0 area 2

network 131.1.23.3 0.0.0.0 area 0

network 131.1.34.3 0.0.0.0 area 2


router ospf 1

router-id 4.4.4.4

log-adjacency-changes

area 2 virtual-link 3.3.3.3 authentication message-digest

area 2 virtual-link 3.3.3.3 message-digest-key 2 md5 CCIE

network 4.4.4.4 0.0.0.0 area 2

network 40.4.4.4 0.0.0.0 area 4

network 131.1.34.4 0.0.0.0 area 2

network 131.1.45.4 0.0.0.0 area 4



Any ideas? thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 02/09/2009 - 13:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Michael,

try to repeat the tests using


• debug ip ospf event

• debug ip ospf packet

• debug ip ospf hello


to see how the smooth change of key is implemented: the sending of two copies of each hellos one with key1 and one with key2.


Hope to help

Giuseppe




Actions

This Discussion