OSPF authentication

検証内容
・authenticationの確認など
・
・
・

下記の状態からスタート。


R1
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Serial1/0
 ip address 192.168.0.1 255.255.255.252
 ip ospf authentication
 ip ospf authentication-key cisco
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.0.0 0.0.0.3 area 0

R2
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Serial1/0
 ip address 192.168.0.2 255.255.255.252
  ip ospf authentication
 ip ospf authentication-key cisco
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.0.0 0.0.0.3 area 0

とりあえず上記はインターフェース単位の認証です。アリア毎のもあるよ。


R1#sh ip ospf interface s1/0
Serial1/0 is up, line protocol is up
  Internet Address 192.168.0.1/24, Area 0
  Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:04
  Supports Link-local Signaling (LLS)
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 2.2.2.2
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled

"Simple password authentication enabled"　となってますね。
ちなみに設定してないと何もでてこないっすね。

はい。次はmd5認証。


R1
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Serial1/0
 ip address 192.168.0.1 255.255.255.252
  ip ospf authentication mesasge-digest
 ip ospf message-digest-key 10 md5 cisco
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.0.0 0.0.0.3 area 0

R2
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Serial1/0
 ip address 192.168.0.2 255.255.255.252
  ip ospf authentication mesasge-digest
 ip ospf message-digest-key 10 md5 cisco
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.0.0 0.0.0.3 area 0

sh ip ospf interface をみてみると、


R1#sh ip ospf
*Jul 15 13:04:44.419: %SYS-5-CONFIG_I: Configured from console by consoleinte
Serial1/0 is up, line protocol is up
  Internet Address 192.168.0.1/24, Area 0
  Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:00
  Supports Link-local Signaling (LLS)
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 2.2.2.2
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 10
Loopback0 is up, line protocol is up
  Internet Address 1.1.1.1/32, Area 0
  Process ID 1, Router ID 1.1.1.1, Network Type LOOPBACK, Cost: 1
  Loopback interface is treated as a stub Host

" Message digest authentication enabled"
"Youngest key id is 10" となってますね。

ここで ip ospf message-digest-key 20 md5 cisco を両インターフェースに追加し、key 10 を削除。
そうすると key 20 での認証に切り替わり、sh ip ospf int の表示も "Youngest key id is 10" に切り替わる。

debug ip ospf event を取得すると、認証つきでhello がやり取りされていることがわかります。


*Jul 15 13:11:36.255: OSPF: End of hello processing
*Jul 15 13:11:39.999: OSPF: Send with youngest Key 20
*Jul 15 13:11:39.999: OSPF: Send hello to 224.0.0.5 area 0 on Serial1/0 from 192
.168.0.2

はい。次。エリアごとの認証。


R1
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Serial1/0
 ip address 192.168.0.1 255.255.255.252
 ip ospf authentication-key cisco
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.0.0 0.0.0.3 area 0
  area 0 athentication

R2
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Serial1/0
 ip address 192.168.0.2 255.255.255.252
 ip ospf authentication-key cisco
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.0.0 0.0.0.3 area 0
  area 0 athentication

まず片方にしかauthentication の設定を入れなかったらどうなるか。


*Jul 15 13:19:46.299: OSPF: Rcv pkt from 192.168.0.1, Serial1/0 : Mismatch Authe
ntication Key - Clear Text
*Jul 15 13:19:50.447: OSPF: Send hello to 224.0.0.5 area 0 on Serial1/0 from 192
.168.0.2
*Jul 15 13:19:56.099: OSPF: Rcv pkt from 192.168.0.1, Serial1/0 : Mismatch Authe
ntication Key - Clear Text
*Jul 15 13:20:00.451: OSPF: Send hello to 224.0.0.5 area 0 on Serial1/0 from 192
.168.0.2

わーい。Mismatch Authentication Key - Clear Text ってのがいっぱいでてくるよ。
で、もう片方もちゃんと入れてみる。


 Number of areas transit capable is 0
 External flood list length 0
    Area BACKBONE(0)
        Number of interfaces in this area is 2 (1 loopback)
        Area has simple password authentication
        SPF algorithm last executed 00:00:27.704 ago
        SPF algorithm executed 9 times
        Area ranges are
        Number of LSA 2. Checksum Sum 0x006ACF
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

ちゃんとFULL状態になり、sh ip ospf にて "Area has simple password authentication" が表示された。

はい。最後のmd5認証のエリア認証。


R1
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Serial1/0
 ip address 192.168.0.1 255.255.255.252
 ip ospf message-digest-key 10 md5 cisco
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.0.0 0.0.0.3 area 0
  area 0 athentication message-digest

R2
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Serial1/0
 ip address 192.168.0.2 255.255.255.252
 ip ospf message-digest-key 10 md5 cisco
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.0.0 0.0.0.3 area 0
  area 0 athentication message-digest

ってかんじで。


 External flood list length 0
    Area BACKBONE(0)
        Number of interfaces in this area is 2 (1 loopback)
        Area has message digest authentication
        SPF algorithm last executed 00:07:17.544 ago
        SPF algorithm executed 9 times
        Area ranges are
        Number of LSA 2. Checksum Sum 0x006ACF
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

"Area has message digest authentication" と表示されましたっぽ。


R2#sh ip ospf inter
Serial1/0 is up, line protocol is up
  Internet Address 192.168.0.2/24, Area 0
  Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 64
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:03
  Supports Link-local Signaling (LLS)
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 1.1.1.1
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 10
Loopback0 is up, line protocol is up
  Internet Address 2.2.2.2/32, Area 0
  Process ID 1, Router ID 2.2.2.2, Network Type LOOPBACK, Cost: 1
  Loopback interface is treated as a stub Host

sh ip ospf interface でも
Message digest authentication enabled
Youngest key id is 10
となってますね。
うん、ほぼccstudy と同じ内容になってしまったな。無効のほうが100倍わかりやすいか。
　