Options
IP OSPF Authentication keys
Hi, I've just been messing around with OSPF authentication and had some questions. In the OCG it says "To avoid having network failures during this cutover, OSPF actually sends and accepts messages that use all the currently configured authentication keys on the interface." (P.161). However, this is where I had some questioning: if you configure multiple keys, the router wills end out Hello's using all the keys configured for that interface. However, once both sides agree on a new key, and older keys are configured, they will no longer send Hello's using all the keys.. and then if you remove the newer key from one of the routers, it will send out it's older key, but the other router will not support this key anymore even though it's configured with it because it's "locked" into the newer key.
I verified this by running OSPF between two routers, R1 and R2. First, I configured both with an md5 key of 2, and the adjacency obviously forms. Then on R1, I configured additional md5 keys of 5 and 8. Now, when I do a "debug ip ospf events" I can see that R1 is sending the Hello's using all keys (2, 5, and 8 ). And it receives R2's only configured key 2. And now let's say I configure R2 with md5 key 8.. now the routers will not send Hello's using all keys.. the debug output on both routers says "Send with youngest key 8." I'm assuming this is a feature to prevent the routers from sending duplicate OSPF traffic if they don't need to. However, now if I take off keys 5 and 8 from R2 (so it's back to sending with key 2 only), but R1 will not recognize key 2 because it's "locked" into sending and receiving with key 8 only.
I found it interesting that the routers would not send using all configured keys, all the time. It makes sense, but the text didn't mention it (maybe FLG does?). The thing I found odd was that R1 wouldn't "backtrack" to allow R2 to use key 2 when it was configured with keys 2, 5, and 8. It worked before R2 went to key 8, but not when key 8 was removed from R2. Guess that's just the way it works.
I verified this by running OSPF between two routers, R1 and R2. First, I configured both with an md5 key of 2, and the adjacency obviously forms. Then on R1, I configured additional md5 keys of 5 and 8. Now, when I do a "debug ip ospf events" I can see that R1 is sending the Hello's using all keys (2, 5, and 8 ). And it receives R2's only configured key 2. And now let's say I configure R2 with md5 key 8.. now the routers will not send Hello's using all keys.. the debug output on both routers says "Send with youngest key 8." I'm assuming this is a feature to prevent the routers from sending duplicate OSPF traffic if they don't need to. However, now if I take off keys 5 and 8 from R2 (so it's back to sending with key 2 only), but R1 will not recognize key 2 because it's "locked" into sending and receiving with key 8 only.
I found it interesting that the routers would not send using all configured keys, all the time. It makes sense, but the text didn't mention it (maybe FLG does?). The thing I found odd was that R1 wouldn't "backtrack" to allow R2 to use key 2 when it was configured with keys 2, 5, and 8. It worked before R2 went to key 8, but not when key 8 was removed from R2. Guess that's just the way it works.
Currently reading: Internet Routing Architectures by Halabi