cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1069
Views
9
Helpful
6
Replies

vtp password hash value

pankaj kumar
Level 1
Level 1

the vtp password is send as a md5 hash value in the vtp advertisements.

but the hash value is computed using only the password or it is computed using some otheer field also if yeh then which fields

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Have a look at this blog and also note the comments -

http://cciepursuit.wordpress.com/2007/06/29/vtp-md5-hash-utilizes-vtp-domain-name/

Jon

i think it depends on the no of vlan also....because whenever i create a new vlan it get changed

It may well do. I couldn't find any specific info other than that blog but it looks like there are a number of things used as iput into the computation.

Jon

Peter Paluch
Cisco Employee
Cisco Employee

Pankaj,

The VTP MD5 sum is computed over the entire VLAN database contents and including the VTP password. Note that the MD5 checksum is included only in the VTP summary advertisement and not in subsequent subset advertisements, so it is not computed over individual packet's contents. The MD5 sum will change whenever any content of the VLAN database changes.

Note that computing the MD5 only over the password and adding it to VTP packets would be useless right from the start, as the MD5 sum would be the equivalent of the password and password alone - it could be directly stolen and reused over different forged VTP packets. This is a general rule about MD5 protection of all protocols. The MD5 hash must always be computed over a protected content plus the password.

Best regards,

Peter

Peter paluch,

does revision no is also included in the computation of hash value kindly tell me all parameter that are used in computation.

one more question suppose there are two switches 1 & 2, i create a new vlan on 1 then the md5 value will change then this new md5 value will be different that is on 2 then how how communication will happen as for communication these hash value should match.

Hi,

from "Troubleshooting VLAN Trunk Protocol" :

"The general purpose of an MD5 value is to verify the integrity of a received packet and to detect any changes to the packet or corruption of the packet during transit. When a switch detects a new revision number that is different from the currently stored value, the switch sends a request message to the VTP server and requests the VTP subsets. A subset advertisement contains a list of VLAN information. The switch calculates the MD5 value for the subset advertisements and compares the value to the MD5 value of the VTP summary advertisement. If the two values are different, the switch increases the No of config digest errors counter."

By the way: I made a couple of tests and it seems that the only relevant field in the summary advertisement, which is not used for the MD5 computation, is the timestamp. I attached a wireshark-capture with summary advertisements from two different switches. I made the same changes on both switches at different times before I connected them (I even configured the same updater IPs on both because different IDs resulted in different hash values. This is interesting because the updater ID is used only in the summary advertisements). You can see that the MD5 values are the same in both messages although the timestamps are different. Any changes of vlan information also resulted in different hash values, as expected.

Hope that helps

Rolf

P.S.: You can find the packet formats in "Understanding VLAN Trunk Protocol"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: