by Chris Pratt

CCIE RS – Routing Concepts – Implement and Troubleshoot Routing Protocol Authentication

Implement and Troubleshoot Routing Protocol Authentication

Routing protocols can be configured to authenticate their neighbors to add some security to who you’re doing routing with.

 

RIP and EIGRP utilize key chains for authentication and can be configured per interface. The lowest number valid key will be used for authentication and is ordered in a top-down for which key will be used.

RIP Config

RIP can authenticate with text or md5

Do not add the mode if you want to use text authentication

key chain [name]
 key [#]
 key-string [string]
 accept-lifetime [start] {infinite | end-time | duration seconds}
 send-lifetime [start] {infinite | end-time | duration seconds}

interface [interface]
 ip rip authentication key-chain [keychain name]
 ip rip authentication mode md5

EIGRP Config

key chain [name]
 key [#]
 key-string [string]
 accept-lifetime [start] {infinite | end-time | duration seconds}
 send-lifetime [start] {infinite | end-time | duration seconds}

interface [interface]
 ip authentication mode eigrp [as] md5
 ip authentication key-chain eigrp [as] [key-chain]

-------
Named Mode

router eigrp [name]
 af-interface default
 authentication key-chain [keychain name]
 authentication mode [hmac-sha-256 password | md5]

OSPFv2

There are 3 authentication types for OSPF, null, text and md5

  • Null Authentication—This is also called Type 0 and it means no authentication information is included in the packet header. It is the default
  • Plain Text Authentication—This is also called Type 1 and it uses simple clear-text passwords
  • MD5 Authentication—This is also called Type 2 and it uses MD5 cryptographic passwords.
Plain Text

interface [interface]
 ip ospf authentication-key [password]

router ospf [pid]
 area [area] authentication

------

MD5

interface [interface]
 ip ospf message-digest-key [#] [password]

router ospf [pid]
 area [area] authentication message-digest

----
show ip ospf interface [interface]

OSPFv3

OSPFv3 uses IPSec to enable authentication

interface [interface]
 ospfv3   authentication  {ipsec spi} {md5 | sha1}{ key-encryption-type key} | null

ipv6 ospf authentication {null | ipsec spi spi authentication-algorithm [key-encryption-type] [key]} 

ipv6 router ospf [pid]
 area [area] authentication ipsec spi [spi authentication-algorithm]  [key-encryption-type] [key]

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-auth-ipsec.html

MD5

Key‐chain

EIGRP HMAC SHA2‐256bit

OSPFv2 SHA1‐196bit

OSPFv3 IPsec authentication

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.