Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
4
Replies

About authentication of OSPF

cciemaple
Level 1
Level 1

‎04-01-2005 09:04 AM - edited ‎03-02-2019 10:20 PM

hi everyone

A problem about authentication of OSPF have puzzled me for a long time ,it is that the AuthTpye 2 which use the MD5 algorithm is better than the simple password,but in the OSPF packets,the hash numbers don't change.If there are some OSPF routers and a host implementing sniffer software on a same LAN,the hash number will be captured.And someone can cheat the routers on the LAN with forged packets.

It seems that the authenticatin of OSPF doesn't work,but i don't believe it,i hope someone can help me,thx!

p.s im not a native speaker,sorry for bad english!

Labels:
0 Helpful
4 Replies 4

ashok_boin
Level 5
Level 5

‎04-01-2005 11:01 AM

Hi,

Please note that MD5 hash algorithms are only one-way.You cann't know that easily the password just by knowing hash. It is possible to retrieve data with encryption techniques if you know the key means encryption techniques are two way in general.

For eg, your password is "abc" and your MD5 checksum is "1$122131Aaa". Only option left for us is guessing password, compute MD5 checksum over that and compare with the saved original hash which is impossible to detect with existing technology.

Please refer the following link for more information..

http://unixwiz.net/techtips/iguide-crypto-hashes.html

Thank you,

Regards...

-Ashok.


With best regards...
Ashok
0 Helpful

cciemaple
Level 1
Level 1
In response to ashok_boin

‎04-02-2005 05:54 AM

Thank u very much

I know the MD5 algorithm is one-way,but when the script kiddy forge the packets , they need not to know the really password but the hash number,for example:

there is a string "00 02 00 00 10 26 91 7b 1e" in a ospf hello packet , and the first 64 bit is the hash number , the rest 8 bit is the sequence number.If we want to cheat the OSPF routers , we only need to forge ospf packets with increasing the sequence number , because the hash number won't change.

So is there any difference between AuthType2 and AuthType1?

0 Helpful

cciemaple
Level 1
Level 1
In response to ashok_boin

‎04-02-2005 06:49 AM

oh,im very very sorry...

i make a mistake...i understand,thank u very much

0 Helpful

Harold Ritter
Cisco Employee
Cisco Employee

‎04-02-2005 07:25 AM

Just as a clarification, the MD5 hash sent as part of ospf packets is 16 bytes long and changes in every packet. Per RFC2328 section D.4.3 (6)(c), the hash is created from the following data.

"The MD5 authentication algorithm is run over the concatenation of the OSPF packet, secret key, pad

and length fields, producing a 16 byte message digest."

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents