200 likes | 378 Views
Implementing and Verifying EIGRP Authentication. Implementing an EIGRP-Based Solution. Router Authentication. Implement security to the routing protocol by supporting authentication A router authenticates the source of each routing update packet that it receives.
E N D
Implementing and Verifying EIGRP Authentication Implementing an EIGRP-Based Solution
Router Authentication • Implement security to the routing protocol by supporting authentication • A router authenticates the source of each routing update packet that it receives. • Prevent false routing updates from updating the routing table: • Prevent deliberate false routing updates sourced by unapproved sources • Ignore malicious updates, thus preventing them from disrupting the routing or taking down the adjacency
Router Authentication (Cont.) • Many routing protocols support authentication • Simple password authentication is supported by: • OSPF • RIPv2 • MD5 authentication is supported by: • EIGRP • OSPF • RIPv2 • BGP
Simple Password vs. MD5 Authentication • Simple password authentication: • The router sends a packet and a key. • The neighbor checks if the key matches its key. • The process is not secure. • MD5 authentication: • This authentication is secure, as described in RFC1321. • This authentication does not include confidentiality (content not encrypted). • The router generates a message digest. • The message digest is sent with the packet. • The key is not sent.
MD5 Authentication for EIGRP • EIGRP supports MD5 authentication. • The router generates a MD5 message digest. • Multiple keys can be configured in all EIGRP routers. • The receiving router computes the MD5 hash from the received EIGRP information. • Time should be synchronized between all routers, and NTP can be used.
Key Chain • EIGRP allows keys to be managed using key chains • A key chain is a set of keys associated with an interface. • Includes key IDs, keys, and key lifetimes • The first valid activated key is used in the outgoing direction. • Incoming packets are checked against all valid keys.
Planning for EIGRP Authentication • Examine the existing EIGRP configuration • Define the authentication type • Define how many keys will be used • Define if an optional lifetime parameter will be used
Requirements for EIGRP Authentication • EIGRP AS number • Authentication mode • One or more keys • Key lifetimes (optional)
Steps to Configure EIGRP MD5 Authentication • Configure the authentication mode for EIGRP • Configure the key chain • Configure the lifetime of each key in the key chain • Enable authentication to use the key or keys in the key chain
Configure Authentication Mode R1(config)# • Specify the type of authentication used in EIGRP packets for router R1 and R2 interface Serial0/0/1 ip authentication mode eigrp 110 md5md5 R2(config)# interface Serial0/0/1 ip authentication mode eigrp 110 md5110 md5
Configure the Key Chain • Create the key-chain to enter key chain key configuration mode. • Create an authentication key on a key chain. • Define the authentication string for a key (password). R1(config)# R2(config)# key chain routerR2chain key 1 key-string firstkey key 2 key-string secondkey key chain routerR1chain key 1 key-string firstkey key 2 key-string secondkey
Configure the Lifetime of The Key or Keys • If you wish, you can define when the key will be accepted or sent. R1(config)# key chain routerR1chain key 1 key-string firstkey accept-lifetime 04:00:00 Jan 1 2009 infinite send-lifetime 04:00:00 Jan 1 2009 04:00:00 Jan 31 2009 key 2 key-string secondkey accept-lifetime 04:00:00 Jan 25 2009 infinite send-lifetime 04:00:00 Jan 25 2009 infinite
Enable Authentication of EIGRP Packets • Enable authentication of EIGRP packets using the key or keys in the key chains routerR1chain and routerR2chain on routers R1 and R2, respectively. R1(config)# interface Serial0/0/1 ip authentication key-chain eigrp 110 routerR1chain R2(config)# interface Serial0/0/1 ip authentication key-chain eigrp 110 routerR2chain
Router R1 Configuration for MD5 Authentication R1# <output omitted> key chain routerR1chain key 1 key-string firstkey accept-lifetime 04:00:00 Jan 1 2009 infinite send-lifetime 04:00:00 Jan 1 2009 04:00:00 Jan 31 2009 key 2 key-string secondkey accept-lifetime 04:00:00 Jan 25 2009 infinite send-lifetime 04:00:00 Jan 25 2009 infinite <output omitted> interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 ! interface Serial0/0/1 bandwidth 256 ip address 192.168.1.101 255.255.255.224 ip authentication mode eigrp 110 md5 ip authentication key-chain eigrp 110 routerR1chain ! router eigrp 110 network 172.16.1.0 0.0.0.255 network 192.168.1.0 auto-summary
Verifying MD5 Authentication for EIGRP • Verify that the EIGRP neighbor relationship is up • Verify that the IP routing table is populated R1#show ip eigrp neighbors IP-EIGRP neighbors for process 110 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14 R1#show ip route <output omitted> Gateway of last resort is not set D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks D 172.16.0.0/16 is a summary, 00:31:31, Null0 C 172.16.1.0/24 is directly connected, FastEthernet0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.96/27 is directly connected, Serial0/0/1 D 192.168.1.0/24 is a summary, 00:31:31, Null0
Verifying MD5 Authentication for EIGRP (Cont.) R1#show key chain Key-chain routerR1chain: key 1 -- text “firstkey" accept lifetime (04:00:00 Jan 1 2009) - (always valid) [valid now] send lifetime (04:00:00 Jan 1 2009) - (04:00:00 Jan 31 2009) key 2 -- text “secondkey" accept lifetime (04:00:00 Jan 25 2009) - (always valid) [valid now] send lifetime (04:00:00 Jan 25 2009) - (always valid) [valid now] • Verify the key chains and keys • This output of the show key chain command is from January 27, 2009.
Verifying MD5 Authentication for EIGRP (Cont.) R1#debug eigrp packet EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) *Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1 *Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102 *Jan 21 16:38:51.745: AS 110, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe erQ un/rely 0/0 • Use debug to verify the operation R2#debug eigrp packet EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) R2# *Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 1 *Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101 *Jan 21 16:38:38.321: AS 110, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe erQ un/rely 0/0
Misconfigured Key • The MD5 authentication key is different for routers R1 and R2. • The EIGRP neighbor relationship is down. R1#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) R1# *Jan 31 23:20:21.967: EIGRP: Sending HELLO on Serial1/0 *Jan 31 23:20:21.967: AS 110, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 *Jan 31 23:20:22.315: EIGRP: pkt key id = 2, authentication mismatch *Jan 31 23:20:22.315: EIGRP: Serial1/0: ignored packet from 192.168.1.102, opcod e = 5 (invalid authentication) R1#show ip eigrp neighbors IP-EIGRP neighbors for process 110
Summary • There are two types of router authentication: simple password and MD5 authentication. • When EIGRP authentication is configured, the router generates and checks every EIGRP packet and authenticates the source of each routing update packet that it receives. EIGRP supports MD5 authentication. • To configure MD5 authentication, use the ip authentication mode eigrp and ip authentication key-chain interface commands. The key chain must also be configured to define the keys. • Use show ip eigrp neighbors, show ip route, and debug eigrp packets to verify MD5 authentication.