Re: ospf authentication quick question

bellocarico · ‎07-12-2006

OSPF authentication is defined per area, and can be overrriden in interface mode using commands such as

Router(config-if)#ip ospf authentication

+

Router(config-if)#ip ospf authentication-key PASSWORD

(to config/force clear text authentication)

or

Router(config-if)#ip ospf message-digest-key 1 md6 PASSWORD

(to config/force md5 authentication)

But...what's the command:

Router(config-if)#ip ospf authentication message-digest

doing exactly?

The online help says "Use message-digest authentication", but isn't this the function of the message-digest-key command already?

Thanks!

devang_etcom · ‎07-12-2006

hi...

when you use the command ip ospf authentication message-digest" then both router will send their username and password in the "hash" form or you can say router encript the password...its same as the comand you enter md5... its one kind of encryption form...

you can have same things in RIP also...

hope this will clear your idea

rate this post if it helps

regards

Devang

bellocarico · ‎07-12-2006

Thanks for the answer, but that not what I'm asking...

I'd just like to know why would I ever use the command

"ip ospf authentication message-digest"

(and actually what does it do exactly?)

where:

1) ip ospf authentication -> Is used for cleartext authentication

2) ip ospf message-digest -> Is used for md5 authentication

Regards

devang_etcom · ‎07-12-2006

you configure such kind of command just bcoz of to prevent the unauthenticated packet infomation... which cause the bad routing information...

ip ospf authentication:

this command is used to configure the password to the ospf interface for the authentication.

ip ospf message-digest:

you can say its type 2 authentication...which calculate the hash value from the ospf packet content and password and this hash value is transmitted in packet with the key so you can have secure information in your ospf network

If message digest authentication is enabled in Area then all interfaces in the area need to be configured with the same authentication type. This command is used to configure message digest authentication on an OSPF interface. In Cisco IOS Software Release 12.0 and later, interface authentication can be configured independent of the authentication applied to an area.

hope this will be your answer...

rate all the post if it helps

regards

Devang

tdrais · ‎07-12-2006

The command

ip ospf authentication message-digest

is what actually activates the use of the key you defined in the previous statement. If you were to define both keys on the interface and only put

in

ip ospf authentication

it would attempt to use the clear text key and ignore the md5 key. When you enter this command with the message-digest option it will begin using the md5 key and ignore the clear text key.

Many people are confused by this since you can define the keys on the interface but choose the type of key to use in the glocal OSPF configuration.

bellocarico · ‎07-12-2006

"ip ospf authentication message-digest

is what actually activates the use of the key you defined in the previous statement"

Correct me if I'm wrong, but I wouldn't use the word activate in this case, as, if I leave the ip ospf authentication out of my config (with or without message-digest) it just uses what it is configured in router-config.

Apart from this, thanks for the clarification!

Now everything makes more sense to me :-)

bellocarico · ‎07-12-2006

Devang, I agree with you on the hashing, and the area authentication, and this is very clear to me; but what is not clear instead is the "ip ospf authentication message-digest" command.

As discussed above, after having set authentication for the area

Router(config-router)#area 0 authentication -->enable clear text password

or

Router(config-router)#area 0 authentication message-digest -->enable md5 password

I need to authenticate in interface mode using

"ip ospf authentication-key PASSWORD" --> cleartext

or

"ip ospf message-digest 1 md5 PASSWORD" --> MD5

The additional interface command

"ip ospf authentication"

is used to enable clear text password in case you want to overwrite the area password (if set to md5 e.g.).

Now, the command:

"ip ospf authentication message-digest"

seems to me just the same as above, but with an additional parameter.

This parameter (message-digest) let me intend that this is some how related to the password hashing instead.

So why would I ever use a command to force simple password authentication with the parameter message-digest?

If I want to do message-digest I just use directly the "ip ospf message-digest 1 md5 PASSWORD" command.

I can't find precise documentation on this on the Doc CD.

My only theory on this (but I'm not 100% sure)

is that, if I set

"ip ospf authentication" It will force the interface to authenticate in cleartext indifferently on what it is set on router-config.

This must also to be coupled with the

"ip ospf authentication-key PASSWORD"

instead

"ip ospf authentication message-digest" forces the authentication md5 in interface config mode.

Thsi must to be coupled with the

"ip ospf message-digest 1 md5 PASSWORD"

to work properly

Anybody agree/disagree on my theory?

Any comment?

Thanks for the interest!!

devang_etcom · ‎07-12-2006

yes i am agree with you...

regards

Devang