Solved: hsrp and md5 authentication

sarahr202 · ‎05-13-2012

Hi everybody

I configured HSRP on R1( 199.199.199.1) with md5 authentication as shown below:

interface FastEthernet0/0

ip address 199.199.199.1 255.255.255.0

duplex auto

speed auto

standby 1 ip 199.199.199.10

standby 1 authentication md5 key-string 7 14141B180F0B

R1#show version

Cisco IOS Software, 2600 Software (C2691-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Mon 07-Jul-08 04:30 by prod_rel_team

=============================================================

When I captured the hello packet sent by R1, I don't see md5 hashed value .

Below is one of the packet:

No. Time Source Destination Protocol Length Info

172 189.484000 199.199.199.1 224.0.0.2 HSRP 92 Hello (state Standby)

Frame 172: 92 bytes on wire (736 bits), 92 bytes captured (736 bits)

Ethernet II, Src: c0:00:03:d8:00:00 (c0:00:03:d8:00:00), Dst: IPv4mcast_00:00:02 (01:00:5e:00:00:02)

Internet Protocol Version 4, Src: 199.199.199.1 (199.199.199.1), Dst: 224.0.0.2 (224.0.0.2)

User Datagram Protocol, Src Port: hsrp (1985), Dst Port: hsrp (1985)

Source port: hsrp (1985)

Destination port: hsrp (1985)

Length: 58

Checksum: 0x9c4c [validation disabled]

Cisco Hot Standby Router Protocol

Version: 0

Op Code: Hello (0)

State: Standby (8)

Hellotime: Default (3)

Holdtime: Default (10)

Priority: 100

Group: 1

Reserved: 0

Authentication Data: Non-Default ()

Virtual IP Address: 199.199.199.10 (199.199.199.10)

My book says HSRP md5 authentication was introduced into some cat switches platform with cisco ios 12.2(25)S. At press time, this feature was available only on the cat 3560 and 3750

My question is since the option for md5 authentication is available in the ios i am using, therefore ios must support it. However, as can be seen in above packet capture, I don't see any hashed md5 value.

I will appreciate any help

Thanks and have a great week.

Giuseppe Larosa · ‎05-14-2012

Hello Sarah,

you should look at the packet in hexadecimal format and not in text format.

notice that it says :

Authentication Data: Non-Default ()

the default authentication is null, so this packet should contain the MD5 hash.

However, the MD5 hash should be at the end of the packet as it is a sort of strong checksum of the packet content.

Also MD5 is 128 bit in length and HSRP authentication data is only 8 bytes long ( = 64 bit).

see

http://www.networksorcery.com/enp/protocol/hsrp.htm

So the MD5 hash should be at the end of the packet in last 16 bytes.

Authentication Data field should only provide information about the type of authentication not the MD5 hash itself.

notice also the size of the packet that is 92 bytes. I would expect size of HSRP packet to increase if MD5 authentication is enabled.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-14-2012

Hello Sarah,

you should look at the packet in hexadecimal format and not in text format.

notice that it says :

Authentication Data: Non-Default ()

the default authentication is null, so this packet should contain the MD5 hash.

However, the MD5 hash should be at the end of the packet as it is a sort of strong checksum of the packet content.

Also MD5 is 128 bit in length and HSRP authentication data is only 8 bytes long ( = 64 bit).

see

http://www.networksorcery.com/enp/protocol/hsrp.htm

So the MD5 hash should be at the end of the packet in last 16 bytes.

Authentication Data field should only provide information about the type of authentication not the MD5 hash itself.

notice also the size of the packet that is 92 bytes. I would expect size of HSRP packet to increase if MD5 authentication is enabled.

Hope to help

Giuseppe