CCIE Authentication RIP, EIGRP, OSPF

CCIE Authentication RIP, EIGRP, OSPF

Sharing is caring!

I am going to start using this to help me analyze and remember weak areas.  Today I was working through the standard OSPF walk through with Khawar’s class and we went to start configuring OSPF Authentication.  I started creating a key-chain and trying to apply it.  I quickly realized I was doing something wrong.  OSPF is very different from RIP and EIGRP when it comes to Authentication.

****NOTE This is work in progress.  Verify these are correct before assuming this is accurate.

Assumptions – Running version 15.5 IOS on GNS3.  Variations in platform and code may alter the required commands.

Authentication-RIP-EIGRP-OSPF

This is to provide a summary of IGP Routing Protocol Authentication Modes
Authentication TypeRIPEIGRP ClassicEIGRP NamedOSPF
Clear Text with Key ChainYesNoNoNo
Clear Text and NO Key ChainNoNoNoYes
MD5 with Key ChainYesYesYesNo
MD5 and NO Key ChainNoNoNoYes
SHA with Key ChainNoNoNoYes
SHA and NO Key ChainNoNoYesNo

RIP –

  1. RFC 2082 MD5 RIPv2
  2. Requires a Key-chain
  3. Can be done with Clear-text and MD5 ONLY.
  4. Reduces the number of routes sent in each update. From 25 to 24.
  5. Key chain name is locally significant
  6. Key number must match for MD5 but not Clear Text.  MD5 uses it for the hash.
  7. Authentication is only verifying the Route and not the neighbor.
  8. If the Router is configured for “text” mode it will not show in the running configuration.
    1. Verification can be mad ewith the command “show ip protocol | begin rip”
  9. Also, you can use the command “show key chain”
    1. R1#show key chain
      Key-chain RIPCLEAR:
      key 5 — text “cisco123”
      accept lifetime (always valid) – (always valid) [valid now]
      send lifetime (always valid) – (always valid) [valid now]
  10. Sample Clear text
    1. config t
    2. key chain LOCALCHAIN
    3. key 10
    4. key-string 8675309 (MUST MATCH)
    5. interface eth 0/0
    6. ip rip authentication key-chain LOCALCHAIN
    7. ip rip authentication mode text
    8. *****2nd Router*****
    9. config t
    10. key chain R2CHAIN
    11. key20
    12. key-string 8675309 (MUST MATCH)
    13. int eth 0/0
    14. ip rip authentication key-chain R2CHAIN
  11. Sample md5
    1. config t
    2. key-chain MD5R1
    3. key 5 (MUST MATCH)
    4. key-string 666 (MUST MATCH)
    5. int eth 0/1
    6. ip rip authentication key-chain MD5R1
    7. ip rip authentication mode md5
    8. *****2nd Router****
    9. key-chain MD5R2
    10. key 5  (MUST MATCH)
    11. key-string 666 (MUST MATCH)
    12. int eth 2/1
    13. ip rip authentication key-chain MD5R2
    14. ip rip authentication mode md5
  12. Common mistakes
    1. Extra Space
    2. ip rip authentication mode not typed and for some reason router doesn’t start authenticating
    3. key-string mismatch
    4. for MD5 key number must match

Debug output does not show successful authentication but it will say “invalid authentication”.

*Oct 6 15:05:13.068: RIP: ignored v2 packet from 12.1.1.2 (invalid authentication)

  • This is a wrong authentication type, the wrong key # (if MD5), or the wrong key-string.

 

Capture

RIP No Authentication

RIP Clear Text  NOTE:  Key # is not sent with Authentication type 2 Simple Password!

RIP MD5

 

 



EIGRP

  1. RFC7868
  2. Actually has some variety because the Named mode provides some additional SHA capability.
  3. For Classic mode it is also key-chain based and will provide MD5 Authentication only.
  4. For Named mode provides key-chain based for MD5 but does not use key-chain for SHA.
  5. EIGRP requires both the mode command and the key-chain in order for authentication to be enabled on the interface in Classic mode.
  6. Sample Classic MD5
    1. config t
    2. key chain EIGRPMD5
    3. key 8
    4. key-string notit
    5. int eth 1/1
    6. ip authentication mode eigrp 100 md5
    7. ip authentication key-chain eigrp 100 EIGRPMD5
  7. Named mode SHA 5 key-string is “endoftheroad”
    1. config t
    2. router eigrp AUTHEIGRP
    3. address-family ipv4 unicast autonomous-system 100
    4. af-interface default
    5. authentication mode hmac-sha-256 endoftheroad
  8. Common mistakes
    1. Configuring everything classic and then requiring SHA
    2. incorrect key value
    3. incorrect key string

Debug outputs

If the interface was up first then you would see this change.  No log messages by default.

*Oct 6 15:39:31.471: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.12.12.2 (Ethernet0/0) is down: Auth failure

  • This indicates possible incorrect key-string

“debug eigrp packet”  will give you this indicator

*Oct 6 15:41:09.110: EIGRP: pkt authentication key id = 10, key not defined
*Oct 6 15:41:09.110: EIGRP: Et0/0: ignored packet from 10.12.12.2, opcode = 5 (invalid authentication)

  • This mean the keys are not correct

*Oct 6 15:44:26.711: EIGRP: pkt key id = 5, authentication mismatch
*Oct 6 15:44:26.711: EIGRP: Et0/0: ignored packet from 10.12.12.2, opcode = 5 (invalid authentication)

  • This means that the passwords or MD5 on one side and SHA on the other side.

Packet Captures

No Authentication

MD5

SHA 256


OSPF-

  1. RFC2328 – Clear Text and MD5
  2. RFC5709 HMAC-SHA
  3. OSPF Clear Text and MD5 does NOT use key strings BUT SHA does!!!
  4. Can provide Clear Text or MD5.
  5. The Mode can be configured either globally or per interface.
  6. The key is configured on each interface.
  7. The key ID MUST match
  8. If configured Area wide be careful with Virtual-Links.  Easy to forget since they will only be an issue if topology change.
  9. If configured Area wide, you can still disable on specific interfaces with the following command on both sides.
    1. ip ospf authentication null
  10. Authentication is contained in the OSPF Header no matter what method of authentication is configured, including none.
  11. If using SHA Authentication it DOES require a key chain!!!!  And under the key-string requires additional subcommand specifying the version of SHA.
  12. You can verify the authentication with the command “show ip ospf int eth 0/0″”
    1. R2#show ip ospf int eth 0/0
      Ethernet0/0 is up, line protocol is up
      Internet Address 192.1.100.2/24, Area 0, Attached via Network Statement
      Process ID 1, Router ID 0.0.0.2, Network Type BROADCAST, Cost: 10
      Topology-MTID Cost Disabled Shutdown Topology Name
      0 10 no no Base
      Transmit Delay is 1 sec, State DR, Priority 1
      Designated Router (ID) 0.0.0.2, Interface address 192.1.100.2
      No backup designated router on this network
      Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
      oob-resync timeout 40
      Hello due in 00:00:07
      Supports Link-local Signaling (LLS)
      Cisco NSF helper support enabled
      IETF NSF helper support enabled
      Index 1/2/2, flood queue length 0
      Next 0x0(0)/0x0(0)/0x0(0)
      Last flood scan length is 1, maximum is 1
      Last flood scan time is 0 msec, maximum is 0 msec
      Neighbor Count is 0, Adjacent neighbor count is 0
      Suppress hello for 0 neighbor(s)
      Cryptographic authentication enabled
      Sending SA: Key 5, Algorithm HMAC-SHA-256 – key chain OSPFSHA
  13. Sample Area Mode clear text on interface. Key is “guessname”.
    1. config t
    2. router ospf 1
    3. area 0 authentication
    4. interface eth 0/0
    5. ip ospf authentication-key guessname
  14. Sample Area Mode md5 on interface.  Key is “guessname”
    1. config t
    2. router ospf 1
    3. area 0 authentication message-digest
    4. interface eth 0/0
    5. ip ospf message-digest-key 1 md5 guessname
  15. Sample Interface Configuration, clear text.  Key is “thisisit”
    1. config t
    2. router ospf 1
    3. ip ospf authetnication
    4. ip ospf authentication-key thisisit
  16. Sample Interface Configuration, md5.  Key is “noneya”
    1. config t
    2. router ospf 1
    3. ip ospf authentication message-digest
    4. ip ospf message-digest-key 1 md5 noneya
  17. Sample Interface Configuration, SHA256, key is “deez”
    1. config t
    2. key chain OSPFSHA
    3. key 5
    4. key-string deez
    5. cryptographic-algrothm hmac-sha-256
    6. int eth 0/0
    7. ip ospf authentication key-chain OSPFSHA
  18. Common mistakes
    1. Configuring Key-chains
    2. incorrect passwords
    3. Configuring Area wide and forgetting to set null on non authenticated interfaces
    4. Configuring on Area wide and forgetting to configure Virtual Links

OSPF Debug Output explained

***************************

***************************

MD5

***************************

***************************

R2#
*Oct 6 12:49:19.551: OSPF-1 PAK : Se2/0: OUT: 192.1.101.2->224.0.0.5: ver:2 type:1 len:48 rid:0.0.0.2 area:0.0.0.0 chksum:0 auth:2 keyid:1 seq:0x5BB8

Se2/0: OUT: This is the interface the packet is on and the direction of the packet  Serial 2/0 in the Outbound direction

192.1.101.2->224.0.0.5 – Source/destination.  We can see its multicast to 224.0.0.5 since its OSPF

ver:2  –  OSPF Version.  For IPv4 this is version 2

type:1 – this is the message type, which is a Hello Packet (Type 1)

len:48  This is the size of the hello packet

rid:0.0.0.2  – This is the Router ID

area:0.0.0.0 – This is the Area.  Area 0 in this case.

chksum:0  Checksum of the packet

auth:2  This is the authentication type.  There are three types 0- No Auth, 1- Simple Password (also called text) , 2 – cryptographic (also called md5)

keyid:1  This is the keyid

seq:0x5BB8  This is the sequence number

***************************

***************************

Simple Password

***************************

***************************

R2#
*Oct 6 12:49:20.952: OSPF-1 PAK : Et0/0: IN: 192.1.100.3->224.0.0.5: ver:2 type:1 len:52 rid:0.0.0.3 area:0.0.0.0 chksum:A483 auth:1

Et0/0: IN:  This is the interface the packet is on and the direction of the packet  Ethernet 0/0 in the Inbound direction

192.1.100.3->224.0.0.5:  Source/destination.  We can see its multicast to 224.0.0.5 since its OSPF

ver:2  OSPF Version.  For IPv4 this is version 2

type:1  this is the message type, which is a Hello Packet (Type 1)

len:52  This is the size of the hello packet

rid:0.0.0.3  This is the Router ID

area:0.0.0.0   This is the Area.  Area 0 in this case.

chksum:A483  Checksum of the packet

auth:1    This is the authentication type.  There are three types 0- No Auth, 1- Simple Password (also called text) , 2 – cryptographic (also called md5)

***************************

***************************

No Authentication configured

***************************

***************************

*Oct 6 14:11:10.979: OSPF-1 PAK : Et0/0: OUT: 192.1.67.7->224.0.0.5: ver:2 type:1 len:48 rid:0.0.0.7 area:0.0.0.0 chksum:EC8D auth:0

Et0/0: OUT: This is the interface the packet is on and the direction of the packet  Ethernet 0/0 in the Outbound direction

192.1.67.7->224.0.0.5:    Source/destination.  We can see its multicast to 224.0.0.5 since its OSPF

ver:2   OSPF Version.  For IPv4 this is version 2

type:1    this is the message type, which is a Hello Packet (Type 1)

len:48   This is the size of the hello packet

rid:0.0.0.7   This is the Router ID

area:0.0.0.0  This is the Area.  Area 0 in this case.

chksum:EC8D   Checksum of the packet

auth:0   This is the authentication type.  There are three types 0- No Auth, 1- Simple Password (also called text) , 2 – cryptographic (also called md5)

***************************

***************************

SHA configured

***************************

***************************

*Oct 6 16:10:11.572: OSPF-1 PAK : Et0/0: OUT: 192.1.100.2->224.0.0.5: ver:2 type:1 len:44 rid:0.0.0.2 area:0.0.0.0 chksum:0 auth:2 keyid:5 seq:0x5BB8

Et0/0: OUT:  This is the interface the packet is on and the direction of the packet  Ethernet 0/0 in the Outbound direction

192.1.100.2->224.0.0.5:   Source/destination.  We can see its multicast to 224.0.0.5 since its OSPF

ver:2   For IPv4 this is version 2

type:1   this is the message type, which is a Hello Packet (Type 1)

len:44   This is the size of the hello packet

rid:0.0.0.2   This is the Router ID

area:0.0.0.0  This is the Area.  Area 0 in this case.

chksum:0  Checksum of the packet

auth:2  This is the authentication type.  There are three types 0- No Auth, 1- Simple Password (also called text) , 2 – cryptographic (also called md5 or SHA)

keyid:5  This uses a key chain and therefore has a keyid

seq:0x5BB8

Sample OSPF packet captures

cryptographic (MD5)

Simple passowrd (Clear text)

Null (No Authentication configured)

SHA Authentication

IMPORTANT – With Area Authentication enabled and no password it still changes the Auth Type as shown below.  You can see that there is not a password assigned.  In this case, if the other side does NOT have authentication enabled then the neighbor relationship will still go down because the Auth Type is not equal.

Leave a Reply

Your email address will not be published. Required fields are marked *