Routing protocol authentication

EIGRP Authentication

Every single packet type sent, will have the authentication information with them.

EIRP has two types of authentications MD5 (2) and HMAC-SHA-256 (3). There is also type zero (0) which no authentication. 

  • In classic mode we only have MD5 
  • In named mode we have MD5 and HMAC-SHA-256 
To demonstrate Authentication, R1 and R4 will use named mode and, R2 and R3 will use classic mode.

For MD5 authentication, first, we create the Keychain on all routers. Be careful to not add a space before or after the key string.
Key chains names do not have to match, but the key IDs and Key string should match.

MD5 Authentication

1 - Create the Key Chain.

R1#conf t
R1(config)#key chain cisco
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco*123

Verification

show key chain.

R1#sho key chain
Key-chain cisco:
    key 1 -- text "cisco*123"
        cryptographic-algorithm: Unknown Crypto
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

2 -  Configure the authentication on the interface.

2.1 - Classic mode

  • EIGRPv4
R2(config-router)#int rang g1-2
R2(config-if-range)#ip authentication mode eigrp 1 md5
R2(config-if-range)#ip authentication key-chain eigrp 1 cisco

  • EIGRPv6
R2(config-router)#int rang g1-2
R2(config-if-range)#ipv6 authentication mode eigrp 1 md5
R2(config-if-range)#ipv6 authentication key-chain eigrp 1 cisco


2.2. Named mode 

It can be done under specific interface of all the interfaces inside af-interface default.

router eigrp CORE
 !
 address-family ipv4 unicast autonomous-system 1
  !
  af-interface default
   authentication mode md5
   authentication key-chain cisco
  exit-af-interface
  !
 address-family ipv6 unicast autonomous-system 1
  !
  af-interface g1
   authentication mode md5
   authentication key-chain cisco
  exit-af-interface
  !

hmac-sha-256

It is supported only in named mode. To demonstrate the configuration, R2 will be moved back to named mode configuration.

The password configuration goes at the end of the command. The below configuration has been applied to R1, R2 and R4.

router eigrp CORE
 !
 address-family ipv4 unicast autonomous-system 1
  !
  af-interface GigabitEthernet1
   authentication mode hmac-sha-256 cisco
  !
 address-family ipv6 unicast autonomous-system 1
  !
  af-interface default
   authentication mode hmac-sha-256 cisco

Verification (from another lab)

R1#show ip eigrp interfaces detail g1
EIGRP-IPv4 VR(MULTI-AF) Address-Family Interfaces for AS(100)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Gi1                      1        0/0       0/0           1       0/0           50           0
  Hello-interval is 5, Hold-time is 15
  Split-horizon is enabled
  Next xmit serial <none>
  Packetized sent/expedited: 122/6
  Hello's sent/expedited: 1671/9
  Un/reliable mcasts: 0/101  Un/reliable ucasts: 148/51
  Mcast exceptions: 1  CR packets: 1  ACKs suppressed: 3
  Retransmissions sent: 15  Out-of-sequence rcvd: 3
  Topology-ids on interface - 0
  Authentication mode is md5,  key-chain is "MD5_KEYS"
  Topologies advertised on this interface:  base
  Topologies not advertised on this interface:


Key rotation.

Key chain can have more than one key ID and the lowest key id is always used.

We will create 3 different key number to test the key rotation, under the already created key chain cisco. We will use al the 3 routers.


key chain cisco
 key 1
  key-string cisco*123
   accept-lifetime 20:30:00 Jul 7 2025 20:32:00 Jul 7 2025
   send-lifetime 20:30:00 Jul 7 2025 20:32:00 Jul 7 2025
 
key 2
  key-string cisco2
   accept-lifetime 20:31:00 Jul 7 2025 20:33:00 Jul 7 2025
   send-lifetime 20:31:00 Jul 7 2025 20:33:00 Jul 7 2025
 
key 3
  key-string cisco3
   accept-lifetime 20:32:00 Jul 7 2025 infinite
   send-lifetime 20:32:00 Jul 7 2025 infinite

As per the above output, there is overlapping between the keys because one key cannot expire before the next key is already valid, if not done this way, the neighborship will go down.

OSPF Authentication 
  • IOSPF authentication is not part of the hello packet. It is part of the OPSF Header.
  • OSPF has 3 types of authentications 
    • None (Type 0)
    • Simple password authentication (Type 1)
    • Md5 or SHA (Type 2)
Authentication can be configured under the interface or under the global process number.

Nenhum comentário:

Postar um comentário

Assinar: Postagens (Atom)

 EIGRP New 

  • (nenhum título)
     EIGRP New 
  • CCIE EI
      EIGRP Main Topology Adjacencies Best path selection RD, FD, FC, successor, feasible successor Classic Metrics and Wide Metrics Operations ...
  • CCIE SP Workbook
    ISIS Topology Prefix Suppression Hello Padding Hello padding Prefix Suppression Overload bit LSP Size Default Metric Hello/hold Timer