CCIE RS – Routing Concepts – Implement and Troubleshoot Routing Protocol Authentication

Implement and Troubleshoot Routing Protocol Authentication

Routing protocols can be configured to authenticate their neighbors to add some security to who you’re doing routing with.

 

RIP and EIGRP utilize key chains for authentication and can be configured per interface. The lowest number valid key will be used for authentication and is ordered in a top-down for which key will be used.

RIP Config

RIP can authenticate with text or md5

Do not add the mode if you want to use text authentication

key chain [name]
 key [#]
 key-string [string]
 accept-lifetime [start] {infinite | end-time | duration seconds}
 send-lifetime [start] {infinite | end-time | duration seconds}

interface [interface]
 ip rip authentication key-chain [keychain name]
 ip rip authentication mode md5

EIGRP Config

key chain [name]
 key [#]
 key-string [string]
 accept-lifetime [start] {infinite | end-time | duration seconds}
 send-lifetime [start] {infinite | end-time | duration seconds}

interface [interface]
 ip authentication mode eigrp [as] md5
 ip authentication key-chain eigrp [as] [key-chain]

-------
Named Mode

router eigrp [name]
 af-interface default
 authentication key-chain [keychain name]
 authentication mode [hmac-sha-256 password | md5]

OSPFv2

There are 3 authentication types for OSPF, null, text and md5

  • Null Authentication—This is also called Type 0 and it means no authentication information is included in the packet header. It is the default
  • Plain Text Authentication—This is also called Type 1 and it uses simple clear-text passwords
  • MD5 Authentication—This is also called Type 2 and it uses MD5 cryptographic passwords.
Plain Text

interface [interface]
 ip ospf authentication-key [password]

router ospf [pid]
 area [area] authentication

------

MD5

interface [interface]
 ip ospf message-digest-key [#] [password]

router ospf [pid]
 area [area] authentication message-digest

----
show ip ospf interface [interface]

OSPFv3

OSPFv3 uses IPSec to enable authentication

interface [interface]
 ospfv3   authentication  {ipsec spi} {md5 | sha1}{ key-encryption-type key} | null

ipv6 ospf authentication {null | ipsec spi spi authentication-algorithm [key-encryption-type] [key]}

ipv6 router ospf [pid]
 area [area] authentication ipsec spi [spi authentication-algorithm]  [key-encryption-type] [key]

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-auth-ipsec.html

MD5

Key‐chain

EIGRP HMAC SHA2‐256bit

OSPFv2 SHA1‐196bit

OSPFv3 IPsec authentication

CCIE RS – L3 Tech – RIP and RIPng

RIP

Distance vector routing protocol
Hop count for routing metric

  • Max of 15 hops
  • Used to prevent routing loops
    • Split horizon
    • Route poisoning
    • holddown
  • 16 is infinite distance, route is considered unreachable

Hellos sent every 30 seconds

Timers

  • Update
    • 30 seconds
  • Invalid
    • 180 seconds
    • How long a route can be in routing table without being updated
    • After timer expires, routing entry wil be set to 16 and destination marked unreachable
  • Flush
    • 240 seconds
    • Time between route is marked unreachable and removal from the routing table
  • Holddown
    • Started per route entry
    • 180 seconds
    • Used in Cisco’s implementation

No concept of areas or boundaries

RFC 2453

UDP port 520

Multicast – 224.0.0.9

  • Sends entire routing table to all adjacent routers

Version 2 supports classless routing (CIDR)

Authentication – MD5 or text

Supports route tags

Split Horizon

  • Enabled by default
  • Reduce posibility of routing loops
  • Blocks information about routes from being advertised back on the interface they were learned on
  • May need to disable on an interface in hub/spoke scenario
  • Must disable if you want to use secondary addresses

 

Config

router rip
 version 2
 [no] auto-summary
 network [network]
 passive-interface default
 offset-list [acl] [in | out] {offset}
 timers basic [update, invalid, holddown, flush]
 [no] validate-update-source

interface [interface]
 ip rip send version [1 | 2]
 ip rip receive version [1 | 2]
 ip rip authentication key-chain [name]
 ip rip authentication mode [text | md5]
 [no] ip split-horizon

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_rip/configuration/xe-3se/3850/irr-xe-3se-3850-book/irr-rip.html


RIPng

RIP for IPv6. Based on the bellman-ford algorithm.

RFC 2080

Extension of RIPv2. Same hop count rule as RIP for IPv4

No update authentication – relies on the Authentication Header and IP encapsulating security payload

UDP port 521, each router sends and receives on this port for communicating RIPng

Multicast – FF02::9

Requirement – IPv6 routing must be enabled

ipv6 unicast-routing

interface [interface]
 ipv6 enable
 ipv6 rip [name] enable

ipv6 router rip [name]

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2mt/ipv6-15-2mt-book/ip6-rip.html

CCIE RS – Routing Concepts – Implement and troubleshoot bidirectional forwarding detection (BFD)

Implement and troubleshoot bidirectional forwarding detection (BFD)

BFD – RFC 7419

BFD is a detection protocol designed to provide fast forwarding path failure detection times for all media types, encapsulations, topologies, and routing protocols.

BFD is not tied to any routing protocol. A routing protocol can utilize BFD to held detect neighbor failures faster. Enabled at an interface level. Must be configured on both ends of the link

CEF and IP routing is required on the router

Used to detect faults between 2 nodes connected by a link

  • Low overhead detection on physical media that doesn’t support failure detection
  • 3 way handshake to establish session
  • Supports authentication
  • Must be explicitly configured

Modes

  • Asynchronous
    • Periodically send Hellos between each other
    • If number of packets are not received, session is considered down
  • Demand
    • No hellos are exchanged after session is established
    • Assumed endpoints have another way to verify connectivity

Echo mode is enabled by default, works with asynchronous BFD

Config

interface [interface]
bfd internal [ms] mix-rx [ms] multiplier [interval]
bfd interval 50 min_rx 50 multiplier 5 

router bgp [as]
neighbor [ip] fall-over bfd

router eigrp [as]
bfd all-interfaces

router ospf [pid]
bfd all-interfaces

 


https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fs_bfd.html

https://en.wikipedia.org/wiki/Bidirectional_Forwarding_Detection