Tag Archives: 3.3n

3.3.n Implement and troubleshoot routing protocol authentication

  • 3.3.n [i] MD5
  • 3.3.n [ii] Key-chain
  • 3.3.n [iv] OSPFv2 SHA1-196bit

in ios vers 15.4 or later you can use SHA  for OSPF authentication… as if routing protocol authentication needed yet more security…

you’ll need to set up a key, similar to EIGRP, as below:

from http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/iro-ospfv2-crypto-authen-xe.html

1.    enable

2.    configure terminal

3.    key chain name

4.    key key-id

5.    key-string name

6.    cryptographic-algorithm name

7.    send-lifetime start-time {infinite | end-time | duration seconds}

8.    end

for the rest of us humans there is this lab:

screenshot

down arrow smaller

ospf_auth

VIDEO

https://www.youtube.com/watch?v=DugJyPUVmPI

 

3.3.n Implement and troubleshoot routing protocol authentication

eigrp uses only md5 authentication, config below:

R1(config)#key chain CHAIN (go into key chain mod and define the key)
R1(config-keychain)#key 1 (give the key a numerical value)
R1(config-keychain-key)#key-string CHAINED (define key-string)
R1(config-keychain-key)#int f0/0 (go into interface)
R1(config-if)#ip authentication mode eigrp 100 md5 (set authentication mode to md5)
R1(config-if)#ip authentication key-chain eigrp 100 CHAIN (specify the key chain made in config mode, and repeat for neighbor)
R1(config-if)#end
R1#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R1#
*Mar  1 00:52:27.279: EIGRP: Sending HELLO on FastEthernet1/0
*Mar  1 00:52:27.279:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar  1 00:52:27.363: EIGRP: received packet with MD5 authentication, key id = 1

this does not show up specifically in the blueprint but i’m adding it for completeness

3.3.n Implement and troubleshoot routing protocol authentication

3.3.n [i] MD5

The integrity of routing information inside a network is of the utmost importance as it can influence how traffic reaches specific destinations. Configuring the use of routing protocol authentication is an easy option that ensures that the device on the other side of a connection is who they say they are.

There are two general ways that authentication is implemented by most routing protocols : using a routing protocol centric solution that configures the passwords or keys to use within the routing protocol configuration, or by using a general solution that utilizes separately configured keys that are able to be used by multiple routing protocols. Both OSPF and BGP use the former methods and configure the specific authentication type and passwords/ keys within their specific respective configurations. RIP and EIGRP utilize the latter methods by utilizing a separate authentication key mechanism that is configured and then utilized for either RIP or EIGRP.

OSPF Authentication

The configuration of OSPF requires a couple of different commands; which commands are used is determined by the type of authentication and method of authentication exchange. OSPF supports two different types of authentication that can be configured: authentication limited to a specific interface, or authentication configured over an entire OSPF area. Regardless of which of these options is selected there are also two different methods of authentication exchange that can be configured for each, these include : cleartext simple exchange, or MD5 exchange. When using MD5 the password/ key that is configured is not sent between the exchanging devices, instead a hash is calculated and sent; this hash is then verified by the remote device to ensure identity.

RIP and EIGRP utilize key chains for their authentication configuration. The key chain configuration provides the ability to setup multiple keys that can be used by the supporting features. This includes the ability to have keys that potentially overlap in the time that they are valid. Keys can also be configured with specific transmit (send) and receive (accept ) lifetimes that provide the ability to have keys automatically change at a predetermined time.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 2868-2869).  . Kindle Edition.

http://www.ciscopress.com/articles/article.asp?p=1728836