Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1431
Views
5
Helpful
3
Replies

OSPF authentication and key chains

damion.littlewood
Level 1
Level 1

‎07-05-2006 02:24 AM - edited ‎03-03-2019 01:14 PM

Is there any way of using key chains for authentication with OSPF like you can do for EIGRP? I want to be able to age and introduce new passwords for one of my OSPF areas and without key chains I dont think I will be able to do it. Any help would be appreciated. Thanks.

Labels:
0 Helpful
3 Replies 3

ariela
Level 4
Level 4

‎07-05-2006 02:52 AM

Hi,

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800917e6.html#wp1018285

"Usually, one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets. The same key identifier on the neighbor router must have the same key value.

The process of changing keys is as follows. Suppose the current configuration is as follows:

interface ethernet 1

ip ospf message-digest-key 100 md5 OLD

You change the configuration to the following:

interface ethernet 1

ip ospf message-digest-key 101 md5 NEW

The system assumes its neighbors do not have the new key yet, so it begins a rollover process. It sends multiple copies of the same packet, each authenticated by different keys. In this example, the system sends out two copies of the same packet?the first one authenticated by key 100 and the second one authenticated by key 101.

Rollover allows neighboring routers to continue communication while the network administrator is updating them with the new key. Rollover stops once the local system finds that all its neighbors know the new key. The system detects that a neighbor has the new key when it receives packets from the neighbor authenticated by the new key.

After all neighbors have been updated with the new key, the old key should be removed."

Pay attention:

"We recommend that you not keep more than one key per interface. Every time you add a new key, you should remove the old key to prevent the local system from continuing to communicate with a hostile system that knows the old key. Removing the old key also reduces overhead during rollover."

Hope this helps

Regards

Andrea

damion.littlewood
Level 1
Level 1
In response to ariela

‎07-05-2006 03:02 AM

Excellent thats just what I am looking for. Thanks a lot for your help.

0 Helpful

James Hand
Level 1
Level 1
In response to ariela

‎11-18-2015 12:38 PM

Is key rollover supposed to work like this on NX-OS as well?  We have observed only 1 key at a time being used in transmitted packets when multiple "ip ospf message-digest-key" commands are configured on an interface.

Thanks,

Jim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card