Please Refer Diagram diag_auth.ps Goal : Authentication Brief Intro: Message Digest Authentication is a cryptographic authentication. A key (password) and key-id are configured on each router. The router uses an algorithm based on the OSPF packet, the key, and the key-id to generate a "message digest" that gets appended to the packet. Unlike the simple authentication, the key is not exchanged over the wire. A non-decreasing sequence number is also included in each OSPF packet to protect against replay attacks. If a interface is configured with more than one key, th eouter will send multiple copies of the same packet, each authenticated by different keys. The router will stop sending once it detects that all of its neighbors have adopted the new key. Cmnd: ip ospg message-digest-key md5 (used under this i/f) area authentication message-digest (used under "router OSPF ") Following example will make it more clear: /////////////////////////////////////////////////////////// We are configuring Mrhorse interface "ethernet1" under with key-id 10 and secret1. /////////////////////////////////////////////////////////// MrHorse config rhorse(config)#router ospf 100 mrhorse(config-router)#area 1 authentication message-digest mrhorse(config-router)#^Zterface ethernety mrhorse#co 6d23h: %SYS-5-CONFIG_I: Configured from console by consolenfig t Enter configuration commands, one per line. End with CNTL/Z. mrhorse(config)#interface ethernet1 mrhorse(config-if)#ip ospf message-digest-key 10 md5 secret1 mrhorse(config-if)#^Z ////////////////// It's a good idea to see what we did?? use show run, to see changes in running configuration ////////////////// mrhorse#show run ///////////////////////////////////////////////// mrhorse#sh run Building configuration... 6d23h: OSPF: Rcv pkt from 131.252.215.65, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 Current configuration: ! ! Last configuration change at 15:21:46 PST Wed Mar 14 2001 ! NVRAM config last updated at 10:43:50 PST Mon Mar 12 2001 ! version 12.0 service timestamps debug uptime service timestamps log uptime service password-encryption service udp-small-servers service tcp-small-servers ! hostname mrhorse ! enable secret 5 $1$jYHf$QZp0D/zXCtuxdgIknsu2K1 ! ip subnet-zero no ip finger ip domain-list cs.pdx.edu ip domain-list cat.pdx.edu ip domain-list ee.pdx.edu ip domain 6d23h: OSPF: Rcv hello from 131.252.215.49 area 0 from Ethernet0 131.252.215.34 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.33 area 0 from Ethernet0 131.252.215.33 6d23h: OSPF: End of hello processing-list pdx.edu ip-domain-list . ip name-server 131.252.208.38 ip name-server 131.252.208.58 clock timezone PST -8 clock summer-time PDT recurring ! ! ! interface Ethernet0 description Connected to minshall, port #7 ip address 131.252.215.35 255.255.255.240 no ip directed-broadcast ! interface Ethernet1 description Connected to minshall, port #15 ip address 131.252.215.67 255.255.255.240 no ip directed-broadcast ///// we are able to reflect changes, interface Ethernet 1 has md5 authentication //// ip ospf message-digest-key 10 md5 7 111A1C0605171F5D ! interface Serial0 no ip address no ip directed-broadcast shutdown noMfair-queue ************* mrhorse# 6d23h: OSPF: Send with youngest Key 10 mrhorse# 6d23h: OSPF: Rcv pkt from 131.252.215.65, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 mrhorse# mrhorse# mrhorse# mrhorse# mrhorse# 6d23h: OSPF: Rcv hello from 131.252.215.49 area 0 from Ethernet0 131.252.215.34 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.33 area 0 from Ethernet0 131.252.215.33 6d23h: OSPF: End of hello processingexit 6d23h: OSPF: Rcv pkt from 131.252.215.66, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Send with youngest Key 10 6d23h: OSPF: Rcv pkt from 131.252.215.65, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 mrhorse#n 6d23h: OSPF: Rcv hello from 131.252.215.49 area 0 from Ethernet0 131.252.215.34 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.33 area 0 from Ethernet0 131.252.215.33 6d23h: OSPF: End of hello processingo debu 6d23h: OSPF: Rcv pkt from 131.252.215.66, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2g ip o 6d23h: OSPF: Send with youngest Key 10spf % Incomplete command. ///////////// If we analyse above debug at Mrhorse we can clearly see that there is a mismatch for packet sreceived at interface ethernet 1, we did not do any authentication for Ethernet 0 and it is able to received OSPF updates without any problem Now we are going to configure tony's interfacefastethernet0 with wrong key (11) and wrong passwd (sectret2) Next see debug at Tony //////////// nter configuration commands, one per line. End with CNTL/Z. tony(config)#interfaceffastethernet0/1 tony(config-if)#ip ospf message-digest-keyy11 md5 secret2 tony(config-if)#^Z tony# 6d23h: %SYS-5-CONFIG_I: Configured from console by consolendebuggippospffadjjj OSPF adjacency events debugging is on tony# 6d23h: OSPF: Send with youngest Key 11 6d23h: OSPF: Rcv pkt from 131.252.215.49, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Send with youngest Key 0 6d23h: OSPF: Rcv pkt from 131.252.215.66, FastEthernet0/1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Rcv pkt from 131.252.215.67, FastEthernet0/1 : Mismatch Authen tony#sh run Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname tony ! boot system flash:c2600-js56i-mz.120-2.XC2.bin enable secret 5 $1$fLjf$MJlI08QuUrx1.P/b5hO3W0 ! ip subnet-zero ip domain-name cs.pdx.edu ip name-server 131.252.208.38 ip name-server 131.252.208.58 ! ! ! ! ! ! --More-- 6d23h: OSPF: Send with youngest Key 0 6d23h: OSPF: Rcv pkt from 131.252.215.66, FastEthernet0/1 : Mismatch Authentication type. Input packet specified type 0, we u!e type 2 interface FastEthernet0/0 description tony/port0 ip address 131.252.215.50 255.255.255.240 no ip directed-broadcast ! interface FastEthernet0/1 description tony/port1 ip address 131.252.215.65 255.255.255.240 no ip directed-broadcast ip ospf message-digest-key 10 md5 7 1316121119091078 ! router ospf 100 network 131.252.215.50 0.0.0.0 area 1 network 131.252.215.65 0.0.0.0 area 1 area 1 authentication message-digest ! ip classless no ip http server ! ! snmp-server community public RO snmp-server location FAB-100-17 --More-- 6d23h: OSPF: Rcv pkt from 131.252.215.67, FastEthernet0/1 : Mismatch Authentication Key - Message Digest Key 10 6d23h: OSPF: Send with youngest Key 10 6d23h: OSPF: Rcv pkt from 131.252.215.49, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Send with youngest Key 0 6d23h: OSPF: Rcv pkt from 131.252.215.66, FastEthernet0/1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Rcv pkt from 131.252.215.67, FastEthernet0/1 : Mismatch Authentication Key - Message Digest Key 10 tony#shdebug ip ospf adj 6d23h: OSPF: Send with youngest Key 10 6d23h: OSPF: Rcv pkt from 131.252.215.49, FastEthernet0/0 : Mismatch Authentication type. Input packet specified typeno,ddebugiipoospfaadj OSPF adjacency events debugging is off tony#no debug ip ospf adj OSPF adjacency events debugging is off ////// If we nalyse that due to key mismatch, Tony and Mrhorse are not able to talk to each other Next we //////////////////// Finally Tony is configured with right key (10) and password (secret 1) ///////////////// tony#config t Enter configuration commands, one per line. End with CNTL/Z. tony(config)#interface fastethernet 0/1 tony(config-if)#noiipoospfmmessage-digest-key110mmd5ssecret2 tony(config-if)#ippospffmessage-digest-keyy100md55secret1111 tony(config-if)#^Z tony#config t //// Configuration ends //// //// Now we went to Mrhorse and wanted to see Debug at 131.252.215.67 i/f of MrHorse //// mrhorse#debug ip ospf adj OSPF adjacency events debugging is on mrhorse# 6d23h: OSPF: Rcv hello from 131.252.215.65 area 1 from Ethernet1 131.252.215.65 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.49 area 0 from Ethernet0 131.252.215.34 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.33 area 0 from Ethernet0 131.252.215.33 6d23h: OSPF: End of hello processing ///// seeing packets and xchanging data base with Tony (131.252.215.66 interface) ///// 6d23h: OSPF: Rcv pkt from 131.252.215.66, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Send with youngest Key 10 6d23h: OSPF: Rcv hello from 131.252.215.65 area 1 from Ethernet1 131.252.215.65 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.49 area 0 from Ethernet0 131.252.215.34 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.33 area 0 from Ethernet0 131.252.215.33 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv pkt from 131.252.215.66, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Send with youngest Key 10 6d23h: OSPF: Rcv hello from 131.252.215.65 area 1 from Ethernet1 131.252.215.65 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.49 area 0 from Ethernet0 131.252.215.34 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.33 area 0 from Ethernet0 131.252.215.33 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv pkt from 131.252.215.66, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Send with youngest Key 10 6d23h: OSPF: Rcv hello from 131.252.215.65 area 1 from Ethernet1 131.252.215.65 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.49 area 0 from Ethernet0 131.252.215.34 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.33 area 0 from Ethernet0 131.252.215.33 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv pkt from 131.252.215.66, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Send with youngest Key 10 6d23h: OSPF: Rcv hello from 131.252.215.65 area 1 from Ethernet1 131.252.215.65 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.49 area 0 from Ethernet0 131.252.215.34 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.33 area 0 from Ethernet0 131.252.215.33 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv pkt from 131.252.215.66, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Send with youngest Key 10 6d23h: OSPF: Rcv hello from 131.252.215.65 area 1 from Ethernet1 131.252.215.65 6d23h: OSPF: End of hello processing 6d23h: OSPF: We are not DR to build Net Lsa for interface Ethernet1 6d23h: OSPF: Rcv hello from 131.252.215.49 area 0 from Ethernet0 131.252.215.34 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.33 area 0 from Ethernet0 131.252.215.33 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv pkt from 131.252.215.66, Ethernet1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 6d23h: OSPF: Send with youngest Key 10 6d23h: OSPF: Rcv hello from 131.252.215.65 area 1 from Ethernet1 131.252.215.65 6d23h: OSPF: End of hello processing 6d23h: OSPF: Rcv hello from 131.252.215.49 area 0 from Ethernet0 131.252.215.34