Re: OSPF Authentication Methods - (3) from Scott Morris on 2011-05-20 (Ccielab archives 05/2011)

From: Scott Morris <swm_at_emanon.com>
Date: Fri, 20 May 2011 09:25:16 -0400

So this means that people get to read the RFC, right? Awesome idea!

Or it means there can be philsophical debates about whether "not" doing
something is actually a form of doing something. ;)

But from a packet perspective, there is a 0 (none), 1 (plain) or 2
(message-digest) kinds. And who knows, there COULD be a "3" kind some
day since the binary value is already possible!

Since "not doing" authentication is a type, is "future unknown" also a
type? That would make 4. ;)

May the Force be with you.

*Scott Morris*, CCIE/x4/ (R&S/ISP-Dial/Security/Service Provider) #4713,

CCDE #2009::D, JNCIE-M #153, JNCIE-ER #102, CISSP, et al.

CCSI #21903, JNCI-M, JNCI-ER

swm_at_emanon.com

Knowledge is power.

Power corrupts.

Study hard and be Eeeeviiiil......

On 5/20/11 8:27 AM, Darby Weaver wrote:
> That's what I love about the CCIE Lab...
>
> Everyone says there are "only" 2 types of authentication in OSPF....
>
> 1. Plain text
> 2. MD5
>
> If you listen to all your most knowledgeable friends on Groupstudy and a
> couple of three (maybe more CCIE's of some repute)...
>
> And then you find yourself in the "gladiator's chamber" one day... and a
> third is suggested by some hint of a vague clue...
>
> Unless you've heard of RFC2328 and then you find... there is a third... and
> you find yourself astonished in about the same way everyone else was when we
> found out that Luke Skywalker was not quite "The Last Hope" as mentioned by
> Yoda... Yep... there are three...
>
>
> OSPF as defined in
> [RFC2328<https://mail.google.com/mail/html/compose/static_files/rfc2328>]
> includes three different types of
> authentication schemes: Null authentication, simple password and
> cryptographic authentication. NULL authentication is akin to having
> no authentication at all. In the simple password scheme of
> authentication, the passwords are exchanged in the clear text on the
> network and anyone with physical access to the network can learn the
> password and compromise the security of the OSPF domain.
>
> In the cryptographic authentication scheme, the OSPF routers on a
> common network/subnet share a secret key which is used to generate a
> keyed MD5 digest for each packet and a monotonically increasing
> sequence number scheme is used to prevent replay attacks.

Blogs and organic groups at http://www.ccie.net
Received on Fri May 20 2011 - 09:25:16 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART