[Xorp-hackers] OSPF auth...
Hasso Tepper
hasso@estpak.ee
Fri, 10 Mar 2006 16:49:31 +0200
Kristian Larsson wrote:
> On Thu, Mar 09, 2006 at 04:09:09PM -0800, Pavlin Radoslavov wrote:
> > * In Juniper there is no start/end time for simple passwords.
> > In fact, they don't have even end-time for md5.
>
> Well, this is not a juniper and we should only
> pick the good parts from juniper and improve on
> the bad ones.
>
> > * To have the switchover working properly you need to have both
> > sides agree on some additional rules about when to start and stop
> > accepting or transmitting the new/old key(s). We need such rules
> > to cover cases like clocks that are not synchronized, etc.
> > Such rules do not exist (in RFC or a similar document) for
> > switching between a simple password and md5.
Do start/end times affect accepting keys at all?
> Of course, clocks would need to be synchronized
> and this would be up to the operator of the
> equipment. We use NTP on all our routers and with
> OSPF hello timer of 10 seconds there is quite a
> window in between in which you can switch key.
I'd consider this kind of transition dangerous for my network and would
never use it.
Juniper has only start-time because there is no need for end-time. Start
time affects only sending of packets. All configured keys are accepted
for received packets regardless of start time.
Smooth switch of keys looks like this here:
1) Configure new keys into routers with start time X in the future. X is
chosen so that you can safely add keys to all routers affected by key
switch.
2) Monitor affected parts of network closely at X. Doublecheck that all
works after X.
3) Remove old keys from all affected routers.
regards,
--
Hasso Tepper