authentication in ospf

Answered Question
Aug 15th, 2009
User Badges:
  • Bronze, 100 points or more

Hi everybody.


We have following command configured on a router which one will take precedence?

area 1 authentication

int f0

ip ospf authentication message-digest


will router use md5 on f0 or simple plain text authentication ?


Thanks a lot and have a nice weekend.



Correct Answer by Lucien Avramov about 7 years 10 months ago

This is a convention. The numerical value is set in the packet.

The router use those numerical values instead of the name of the authentication.


You dont use those values to configure the router, the router uses them to communicate the authentication type.


On the router you configure with words those values as in the examples pointed out earlier.


from the ospf debug, you see for the packets:


*Aug 15 22:17:59.220: OSPF: rcv. v:2 t:4 l:60 rid:136.1.124.4

aid:0.0.0.0 chk:931E aut:0 auk: from FastEthernet0/1


aut:0 = null


Another example, with clear text:

*Aug 15 22:15:55.420: OSPF: rcv. v:2 t:1 l:48 rid:136.1.124.4

aid:0.0.0.0 chk:DC7F aut:1 auk: from FastEthernet0/1

here aut=1


On this topic, read the following doc as well:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

Correct Answer by Peter Paluch about 7 years 10 months ago

Hello,


These numerical types are used within OSPF packets to identify the type of authentication mechanism that was used to protect the given OSPF packet. You do not use these numbers directly in OSPF configuration but if you eventually configure a particular type of authentication, the corresponding number will be used as a value in a particular field of the authentication section in an OSPF packet to identify the authentication method.


You may want to read the entire Appendix D of the RFC 2328 where the OSPFv2 is defined:


http://tools.ietf.org/html/rfc2328#appendix-D


Best regards,

Peter


Correct Answer by Lucien Avramov about 7 years 10 months ago

There will be a mismatch message on R1, and it will not even go to init as it will not exchange LSAs.


*Aug 15 20:18:08.197: OSPF: Rcv pkt from 2.2.2.5, FastEthernet0/1 : Mismatch Authentication Key - Clear Text


Correct Answer by Peter Paluch about 7 years 10 months ago

Hello,


In this case, neither of these routers will display the another one as neighbor - so not even in INIT state. To consider somebody a neighbor, there are several parameters in the Hello packet that must match with the local configuration and one of these parameters is the authentication. A neighbor whose data in the Hello packet does not match ours is not considered a valid neighbor and all his OSPF packets are dropped.


Best regards,

Peter


Correct Answer by Lucien Avramov about 7 years 10 months ago

No it will be the clear text as its the interface configuration again that is used first.


R5#show ip ospf int f0/1

FastEthernet0/1 is up, line protocol is up

Internet Address 2.2.2.5/24, Area 0

Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1

Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 2.2.2.5, Interface address 2.2.2.5

No backup designated router on this network

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:06

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 0, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 0, Adjacent neighbor count is 0

Suppress hello for 0 neighbor(s)

Simple password authentication enabled


Correct Answer by Peter Paluch about 7 years 10 months ago

Hello,


The command "ip ospf authentication" is always preferred to the area-wide authentication type. In your example, the Fa0 would use the MD5 authentication type. In other words, you can always override the area-wide authentication type directly on a particular interface.


Best regards,

Peter


Correct Answer by Lucien Avramov about 7 years 10 months ago

Message digest authentication enabled


When both are enabled the message digest seem to dominate:


R5#show ip ospf int f0/1

FastEthernet0/1 is up, line protocol is up

Internet Address 2.2.2.5/24, Area 0

Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1

Transmit Delay is 1 sec, State BDR, Priority 1

Designated Router (ID) 136.1.124.4, Interface address 2.2.2.4

Backup Designated router (ID) 2.2.2.5, Interface address 2.2.2.5

Flush timer for old DR LSA due in 00:00:40

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:01

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 136.1.124.4 (Designated Router)

Suppress hello for 0 neighbor(s)

Message digest authentication enabled

No key configured, using default key id 0

R5#



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (7 ratings)
Loading.
Correct Answer
Lucien Avramov Sat, 08/15/2009 - 09:56
User Badges:
  • Red, 2250 points or more

Message digest authentication enabled


When both are enabled the message digest seem to dominate:


R5#show ip ospf int f0/1

FastEthernet0/1 is up, line protocol is up

Internet Address 2.2.2.5/24, Area 0

Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1

Transmit Delay is 1 sec, State BDR, Priority 1

Designated Router (ID) 136.1.124.4, Interface address 2.2.2.4

Backup Designated router (ID) 2.2.2.5, Interface address 2.2.2.5

Flush timer for old DR LSA due in 00:00:40

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:01

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 136.1.124.4 (Designated Router)

Suppress hello for 0 neighbor(s)

Message digest authentication enabled

No key configured, using default key id 0

R5#



sarahr202 Sat, 08/15/2009 - 10:12
User Badges:
  • Bronze, 100 points or more

Thanks Lavramov.


How about if we configured

area 1 authentication message-digest


int f0

ip ospf authentication


Will message digest still dominate ?


thanks

Correct Answer
Lucien Avramov Sat, 08/15/2009 - 10:16
User Badges:
  • Red, 2250 points or more

No it will be the clear text as its the interface configuration again that is used first.


R5#show ip ospf int f0/1

FastEthernet0/1 is up, line protocol is up

Internet Address 2.2.2.5/24, Area 0

Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1

Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 2.2.2.5, Interface address 2.2.2.5

No backup designated router on this network

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:06

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 0, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 0, Adjacent neighbor count is 0

Suppress hello for 0 neighbor(s)

Simple password authentication enabled


Correct Answer
Peter Paluch Sat, 08/15/2009 - 10:14
User Badges:
  • Cisco Employee,

Hello,


The command "ip ospf authentication" is always preferred to the area-wide authentication type. In your example, the Fa0 would use the MD5 authentication type. In other words, you can always override the area-wide authentication type directly on a particular interface.


Best regards,

Peter


sarahr202 Sat, 08/15/2009 - 11:39
User Badges:
  • Bronze, 100 points or more

Thank Peter.


How about if we have two roouters, R1 and R2


R1 is congigured with plain text while R2 is not using any authentication


R1-------R2


R1 receives a hello from R2, If i use the command show ip ospf neighbors on R1, will it show neighbor(R2) state as "init"?


Thanks a lot and have a nice weekend.

Correct Answer
Peter Paluch Sat, 08/15/2009 - 12:14
User Badges:
  • Cisco Employee,

Hello,


In this case, neither of these routers will display the another one as neighbor - so not even in INIT state. To consider somebody a neighbor, there are several parameters in the Hello packet that must match with the local configuration and one of these parameters is the authentication. A neighbor whose data in the Hello packet does not match ours is not considered a valid neighbor and all his OSPF packets are dropped.


Best regards,

Peter


Correct Answer
Lucien Avramov Sat, 08/15/2009 - 12:21
User Badges:
  • Red, 2250 points or more

There will be a mismatch message on R1, and it will not even go to init as it will not exchange LSAs.


*Aug 15 20:18:08.197: OSPF: Rcv pkt from 2.2.2.5, FastEthernet0/1 : Mismatch Authentication Key - Clear Text


sarahr202 Sat, 08/15/2009 - 14:05
User Badges:
  • Bronze, 100 points or more

Thanks Lavramov

One more quick question if you don't mind.

My book also shows type by number for authentication in ospf. For example

type

0 means null authentication

1 means clear text

2 means md5


What is the use of these types values? I did not see any usage of them while configuring clear text or md5 authentication in ospf.


Thanks

Correct Answer
Peter Paluch Sat, 08/15/2009 - 14:15
User Badges:
  • Cisco Employee,

Hello,


These numerical types are used within OSPF packets to identify the type of authentication mechanism that was used to protect the given OSPF packet. You do not use these numbers directly in OSPF configuration but if you eventually configure a particular type of authentication, the corresponding number will be used as a value in a particular field of the authentication section in an OSPF packet to identify the authentication method.


You may want to read the entire Appendix D of the RFC 2328 where the OSPFv2 is defined:


http://tools.ietf.org/html/rfc2328#appendix-D


Best regards,

Peter


Correct Answer
Lucien Avramov Sat, 08/15/2009 - 14:16
User Badges:
  • Red, 2250 points or more

This is a convention. The numerical value is set in the packet.

The router use those numerical values instead of the name of the authentication.


You dont use those values to configure the router, the router uses them to communicate the authentication type.


On the router you configure with words those values as in the examples pointed out earlier.


from the ospf debug, you see for the packets:


*Aug 15 22:17:59.220: OSPF: rcv. v:2 t:4 l:60 rid:136.1.124.4

aid:0.0.0.0 chk:931E aut:0 auk: from FastEthernet0/1


aut:0 = null


Another example, with clear text:

*Aug 15 22:15:55.420: OSPF: rcv. v:2 t:1 l:48 rid:136.1.124.4

aid:0.0.0.0 chk:DC7F aut:1 auk: from FastEthernet0/1

here aut=1


On this topic, read the following doc as well:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

Actions

This Discussion