Solved: authentication in ospf

sarahr202 · ‎08-15-2009

Hi everybody.

We have following command configured on a router which one will take precedence?

area 1 authentication

int f0

ip ospf authentication message-digest

will router use md5 on f0 or simple plain text authentication ?

Thanks a lot and have a nice weekend.

Lucien Avramov · ‎08-15-2009

Message digest authentication enabled

When both are enabled the message digest seem to dominate:

R5#show ip ospf int f0/1

FastEthernet0/1 is up, line protocol is up

Internet Address 2.2.2.5/24, Area 0

Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1

Transmit Delay is 1 sec, State BDR, Priority 1

Designated Router (ID) 136.1.124.4, Interface address 2.2.2.4

Backup Designated router (ID) 2.2.2.5, Interface address 2.2.2.5

Flush timer for old DR LSA due in 00:00:40

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:01

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 136.1.124.4 (Designated Router)

Suppress hello for 0 neighbor(s)

Message digest authentication enabled

No key configured, using default key id 0

R5#

View solution in original post

Peter Paluch · ‎08-15-2009

Hello,

The command "ip ospf authentication" is always preferred to the area-wide authentication type. In your example, the Fa0 would use the MD5 authentication type. In other words, you can always override the area-wide authentication type directly on a particular interface.

Best regards,

Peter

View solution in original post

Lucien Avramov · ‎08-15-2009

No it will be the clear text as its the interface configuration again that is used first.

R5#show ip ospf int f0/1

FastEthernet0/1 is up, line protocol is up

Internet Address 2.2.2.5/24, Area 0

Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1

Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 2.2.2.5, Interface address 2.2.2.5

No backup designated router on this network

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:06

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 0, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 0, Adjacent neighbor count is 0

Suppress hello for 0 neighbor(s)

Simple password authentication enabled

View solution in original post

Peter Paluch · ‎08-15-2009

Hello,

In this case, neither of these routers will display the another one as neighbor - so not even in INIT state. To consider somebody a neighbor, there are several parameters in the Hello packet that must match with the local configuration and one of these parameters is the authentication. A neighbor whose data in the Hello packet does not match ours is not considered a valid neighbor and all his OSPF packets are dropped.

Best regards,

Peter

View solution in original post

Lucien Avramov · ‎08-15-2009

There will be a mismatch message on R1, and it will not even go to init as it will not exchange LSAs.

*Aug 15 20:18:08.197: OSPF: Rcv pkt from 2.2.2.5, FastEthernet0/1 : Mismatch Authentication Key - Clear Text

View solution in original post

Peter Paluch · ‎08-15-2009

Hello,

These numerical types are used within OSPF packets to identify the type of authentication mechanism that was used to protect the given OSPF packet. You do not use these numbers directly in OSPF configuration but if you eventually configure a particular type of authentication, the corresponding number will be used as a value in a particular field of the authentication section in an OSPF packet to identify the authentication method.

You may want to read the entire Appendix D of the RFC 2328 where the OSPFv2 is defined:

http://tools.ietf.org/html/rfc2328#appendix-D

Best regards,

Peter

View solution in original post

Lucien Avramov · ‎08-15-2009

This is a convention. The numerical value is set in the packet.

The router use those numerical values instead of the name of the authentication.

You dont use those values to configure the router, the router uses them to communicate the authentication type.

On the router you configure with words those values as in the examples pointed out earlier.

from the ospf debug, you see for the packets:

*Aug 15 22:17:59.220: OSPF: rcv. v:2 t:4 l:60 rid:136.1.124.4

aid:0.0.0.0 chk:931E aut:0 auk: from FastEthernet0/1

aut:0 = null

Another example, with clear text:

*Aug 15 22:15:55.420: OSPF: rcv. v:2 t:1 l:48 rid:136.1.124.4

aid:0.0.0.0 chk:DC7F aut:1 auk: from FastEthernet0/1

here aut=1

On this topic, read the following doc as well:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

View solution in original post

Lucien Avramov · ‎08-15-2009

Message digest authentication enabled

When both are enabled the message digest seem to dominate:

R5#show ip ospf int f0/1

FastEthernet0/1 is up, line protocol is up

Internet Address 2.2.2.5/24, Area 0

Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1

Transmit Delay is 1 sec, State BDR, Priority 1

Designated Router (ID) 136.1.124.4, Interface address 2.2.2.4

Backup Designated router (ID) 2.2.2.5, Interface address 2.2.2.5

Flush timer for old DR LSA due in 00:00:40

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:01

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 136.1.124.4 (Designated Router)

Suppress hello for 0 neighbor(s)

Message digest authentication enabled

No key configured, using default key id 0

R5#

sarahr202 · ‎08-15-2009

Thanks Lavramov.

How about if we configured

area 1 authentication message-digest

int f0

ip ospf authentication

Will message digest still dominate ?

thanks

Lucien Avramov · ‎08-15-2009

No it will be the clear text as its the interface configuration again that is used first.

R5#show ip ospf int f0/1

FastEthernet0/1 is up, line protocol is up

Internet Address 2.2.2.5/24, Area 0

Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1

Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 2.2.2.5, Interface address 2.2.2.5

No backup designated router on this network

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:06

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 0, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 0, Adjacent neighbor count is 0

Suppress hello for 0 neighbor(s)

Simple password authentication enabled

Peter Paluch · ‎08-15-2009

Hello,

The command "ip ospf authentication" is always preferred to the area-wide authentication type. In your example, the Fa0 would use the MD5 authentication type. In other words, you can always override the area-wide authentication type directly on a particular interface.

Best regards,

Peter

sarahr202 · ‎08-15-2009

Thank Peter.

How about if we have two roouters, R1 and R2

R1 is congigured with plain text while R2 is not using any authentication

R1-------R2

R1 receives a hello from R2, If i use the command show ip ospf neighbors on R1, will it show neighbor(R2) state as "init"?

Thanks a lot and have a nice weekend.

Peter Paluch · ‎08-15-2009

Hello,

In this case, neither of these routers will display the another one as neighbor - so not even in INIT state. To consider somebody a neighbor, there are several parameters in the Hello packet that must match with the local configuration and one of these parameters is the authentication. A neighbor whose data in the Hello packet does not match ours is not considered a valid neighbor and all his OSPF packets are dropped.

Best regards,

Peter

Lucien Avramov · ‎08-15-2009

There will be a mismatch message on R1, and it will not even go to init as it will not exchange LSAs.

*Aug 15 20:18:08.197: OSPF: Rcv pkt from 2.2.2.5, FastEthernet0/1 : Mismatch Authentication Key - Clear Text

sarahr202 · ‎08-15-2009

Thanks Lavramov

One more quick question if you don't mind.

My book also shows type by number for authentication in ospf. For example

type

0 means null authentication

1 means clear text

2 means md5

What is the use of these types values? I did not see any usage of them while configuring clear text or md5 authentication in ospf.

Thanks

Peter Paluch · ‎08-15-2009

Hello,

These numerical types are used within OSPF packets to identify the type of authentication mechanism that was used to protect the given OSPF packet. You do not use these numbers directly in OSPF configuration but if you eventually configure a particular type of authentication, the corresponding number will be used as a value in a particular field of the authentication section in an OSPF packet to identify the authentication method.

You may want to read the entire Appendix D of the RFC 2328 where the OSPFv2 is defined:

http://tools.ietf.org/html/rfc2328#appendix-D

Best regards,

Peter

Lucien Avramov · ‎08-15-2009

This is a convention. The numerical value is set in the packet.

The router use those numerical values instead of the name of the authentication.

You dont use those values to configure the router, the router uses them to communicate the authentication type.

On the router you configure with words those values as in the examples pointed out earlier.

from the ospf debug, you see for the packets:

*Aug 15 22:17:59.220: OSPF: rcv. v:2 t:4 l:60 rid:136.1.124.4

aid:0.0.0.0 chk:931E aut:0 auk: from FastEthernet0/1

aut:0 = null

Another example, with clear text:

*Aug 15 22:15:55.420: OSPF: rcv. v:2 t:1 l:48 rid:136.1.124.4

aid:0.0.0.0 chk:DC7F aut:1 auk: from FastEthernet0/1

here aut=1

On this topic, read the following doc as well:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml