Adding the interface mtu into dd packets – H3C Technologies H3C S12500 Series Switches User Manual
Page 107

91
OSPF sends multiple packets that contain both the new and old MD5/HMAC-MD5 authentication
key IDs to make sure all neighbor devices can pass the authentication.
2.
Configure the new MD5/HMAC-MD5 authentication key ID on all neighbor devices. When the
local device receives packets with the new key ID from all neighbor devices, it exits MD5 key
rollover.
3.
Delete the old MD5/HMAC-MD5 authentication key ID from the local device and all its neighbors.
H3C recommends not retaining multiple MD5/HMAC-MD5 authentication key IDs for an area. After you
modify the MD5/HMAC-MD5 authentication key ID, delete the old key ID in time. This helps prevent
attacks from devices that use the old key ID for communication and reduce system resources and
bandwidth consumption caused by key rollover.
To configure OSPF authentication for an interface:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter interface view.
interface interface-type interface-number
N/A
3.
Configure OSPF
authentication for an
interface.
•
Configure the simple authentication
mode for the interface:
ospf authentication-mode simple [ cipher
| plain ] password
•
Configure the MD5 authentication mode
for the interface:
ospf authentication-mode { hmac-md5 |
md5 } key-id [ cipher | plain ] password
Use either method.
Not configured by
default.
In OSPF interface authentication, to modify MD5/HMAC-MD5 authentication key ID without tearing
down OSPF neighbor connections, perform the following key rollover configurations:
4.
Configure a new MD5/HMAC-MD5 authentication key ID for the interface. If the new key ID is not
configured on neighbor devices, MD5 authentication key rollover is triggered. During key rollover,
OSPF sends multiple packets that contain both the new and old MD5/HMAC-MD5 authentication
key IDs to make sure all neighbor devices can pass the authentication.
5.
Configure the new MD5/HMAC-MD5 authentication key ID on all neighbor devices. When the
local device receives packets with the new key ID from all neighbor devices, it exits MD5 key
rollover.
6.
Delete the old MD5/HMAC-MD5 authentication key ID from the local device and all its neighbors.
H3C recommends not retaining multiple MD5/HMAC-MD5 authentication key IDs for an interface. After
you modify the MD5/HMAC-MD5 authentication key ID, delete the old key ID in time. This helps prevent
attacks from devices that use the old key ID for communication and reduce system resources and
bandwidth consumption caused by key rollover.
Adding the interface MTU into DD packets
By default, an interface adds 0 into the interface MTU field of a DD packet to be sent rather than the
interface MTU. You can enable an interface to add its MTU into DD packets.
To add the interface MTU into DD packets: