CCIE Authentication RIP, EIGRP, OSPF
I am going to start using this to help me analyze and remember weak areas. Today I was working through the standard OSPF walk through with Khawar’s class and we went to start configuring OSPF Authentication. I started creating a key-chain and trying to apply it. I quickly realized I was doing something wrong. OSPF is very different from RIP and EIGRP when it comes to Authentication.
****NOTE This is work in progress. Verify these are correct before assuming this is accurate.
Assumptions – Running version 15.5 IOS on GNS3. Variations in platform and code may alter the required commands.
Authentication-RIP-EIGRP-OSPF
This is to provide a summary of IGP Routing Protocol Authentication ModesAuthentication Type | RIP | EIGRP Classic | EIGRP Named | OSPF |
---|---|---|---|---|
Clear Text with Key Chain | Yes | No | No | No |
Clear Text and NO Key Chain | No | No | No | Yes |
MD5 with Key Chain | Yes | Yes | Yes | No |
MD5 and NO Key Chain | No | No | No | Yes |
SHA with Key Chain | No | No | No | Yes |
SHA and NO Key Chain | No | No | Yes | No |
RIP –
- RFC 2082 MD5 RIPv2
- Requires a Key-chain
- Can be done with Clear-text and MD5 ONLY.
- Reduces the number of routes sent in each update. From 25 to 24.
- Key chain name is locally significant
- Key number must match for MD5 but not Clear Text. MD5 uses it for the hash.
- Authentication is only verifying the Route and not the neighbor.
- If the Router is configured for “text” mode it will not show in the running configuration.
- Verification can be mad ewith the command “show ip protocol | begin rip”
- Also, you can use the command “show key chain”
- R1#show key chain
Key-chain RIPCLEAR:
key 5 — text “cisco123”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
- R1#show key chain
- Sample Clear text
- config t
- key chain LOCALCHAIN
- key 10
- key-string 8675309 (MUST MATCH)
- interface eth 0/0
- ip rip authentication key-chain LOCALCHAIN
- ip rip authentication mode text
- *****2nd Router*****
- config t
- key chain R2CHAIN
- key20
- key-string 8675309 (MUST MATCH)
- int eth 0/0
- ip rip authentication key-chain R2CHAIN
- Sample md5
- config t
- key-chain MD5R1
- key 5 (MUST MATCH)
- key-string 666 (MUST MATCH)
- int eth 0/1
- ip rip authentication key-chain MD5R1
- ip rip authentication mode md5
- *****2nd Router****
- key-chain MD5R2
- key 5 (MUST MATCH)
- key-string 666 (MUST MATCH)
- int eth 2/1
- ip rip authentication key-chain MD5R2
- ip rip authentication mode md5
- Common mistakes
- Extra Space
- ip rip authentication mode not typed and for some reason router doesn’t start authenticating
- key-string mismatch
- for MD5 key number must match
Debug output does not show successful authentication but it will say “invalid authentication”.
*Oct 6 15:05:13.068: RIP: ignored v2 packet from 12.1.1.2 (invalid authentication)
- This is a wrong authentication type, the wrong key # (if MD5), or the wrong key-string.
Capture
RIP No Authentication
RIP Clear Text NOTE: Key # is not sent with Authentication type 2 Simple Password!
RIP MD5
EIGRP
- RFC7868
- Actually has some variety because the Named mode provides some additional SHA capability.
- For Classic mode it is also key-chain based and will provide MD5 Authentication only.
- For Named mode provides key-chain based for MD5 but does not use key-chain for SHA.
- EIGRP requires both the mode command and the key-chain in order for authentication to be enabled on the interface in Classic mode.
- Sample Classic MD5
- config t
- key chain EIGRPMD5
- key 8
- key-string notit
- int eth 1/1
- ip authentication mode eigrp 100 md5
- ip authentication key-chain eigrp 100 EIGRPMD5
- Named mode SHA 5 key-string is “endoftheroad”
- config t
- router eigrp AUTHEIGRP
- address-family ipv4 unicast autonomous-system 100
- af-interface default
- authentication mode hmac-sha-256 endoftheroad
- Common mistakes
- Configuring everything classic and then requiring SHA
- incorrect key value
- incorrect key string
Debug outputs
If the interface was up first then you would see this change. No log messages by default.
*Oct 6 15:39:31.471: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.12.12.2 (Ethernet0/0) is down: Auth failure
- This indicates possible incorrect key-string
“debug eigrp packet” will give you this indicator
*Oct 6 15:41:09.110: EIGRP: pkt authentication key id = 10, key not defined
*Oct 6 15:41:09.110: EIGRP: Et0/0: ignored packet from 10.12.12.2, opcode = 5 (invalid authentication)
- This mean the keys are not correct
*Oct 6 15:44:26.711: EIGRP: pkt key id = 5, authentication mismatch
*Oct 6 15:44:26.711: EIGRP: Et0/0: ignored packet from 10.12.12.2, opcode = 5 (invalid authentication)
- This means that the passwords or MD5 on one side and SHA on the other side.
Packet Captures
No Authentication
MD5
SHA 256
OSPF-
- RFC2328 – Clear Text and MD5
- RFC5709 HMAC-SHA
- OSPF Clear Text and MD5 does NOT use key strings BUT SHA does!!!
- Can provide Clear Text or MD5.
- The Mode can be configured either globally or per interface.
- The key is configured on each interface.
- The key ID MUST match
- If configured Area wide be careful with Virtual-Links. Easy to forget since they will only be an issue if topology change.
- If configured Area wide, you can still disable on specific interfaces with the following command on both sides.
- ip ospf authentication null
- Authentication is contained in the OSPF Header no matter what method of authentication is configured, including none.
- If using SHA Authentication it DOES require a key chain!!!! And under the key-string requires additional subcommand specifying the version of SHA.
- You can verify the authentication with the command “show ip ospf int eth 0/0″”
- R2#show ip ospf int eth 0/0
Ethernet0/0 is up, line protocol is up
Internet Address 192.1.100.2/24, Area 0, Attached via Network Statement
Process ID 1, Router ID 0.0.0.2, Network Type BROADCAST, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 0.0.0.2, Interface address 192.1.100.2
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:07
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/2/2, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Sending SA: Key 5, Algorithm HMAC-SHA-256 – key chain OSPFSHA
- R2#show ip ospf int eth 0/0
- Sample Area Mode clear text on interface. Key is “guessname”.
- config t
- router ospf 1
- area 0 authentication
- interface eth 0/0
- ip ospf authentication-key guessname
- Sample Area Mode md5 on interface. Key is “guessname”
- config t
- router ospf 1
- area 0 authentication message-digest
- interface eth 0/0
- ip ospf message-digest-key 1 md5 guessname
- Sample Interface Configuration, clear text. Key is “thisisit”
- config t
- router ospf 1
- ip ospf authetnication
- ip ospf authentication-key thisisit
- Sample Interface Configuration, md5. Key is “noneya”
- config t
- router ospf 1
- ip ospf authentication message-digest
- ip ospf message-digest-key 1 md5 noneya
- Sample Interface Configuration, SHA256, key is “deez”
- config t
- key chain OSPFSHA
- key 5
- key-string deez
- cryptographic-algrothm hmac-sha-256
- int eth 0/0
- ip ospf authentication key-chain OSPFSHA
- Common mistakes
- Configuring Key-chains
- incorrect passwords
- Configuring Area wide and forgetting to set null on non authenticated interfaces
- Configuring on Area wide and forgetting to configure Virtual Links
OSPF Debug Output explained
***************************
***************************
MD5
***************************
***************************
R2#
*Oct 6 12:49:19.551: OSPF-1 PAK : Se2/0: OUT: 192.1.101.2->224.0.0.5: ver:2 type:1 len:48 rid:0.0.0.2 area:0.0.0.0 chksum:0 auth:2 keyid:1 seq:0x5BB8
Se2/0: OUT: This is the interface the packet is on and the direction of the packet Serial 2/0 in the Outbound direction
192.1.101.2->224.0.0.5 – Source/destination. We can see its multicast to 224.0.0.5 since its OSPF
ver:2 – OSPF Version. For IPv4 this is version 2
type:1 – this is the message type, which is a Hello Packet (Type 1)
len:48 This is the size of the hello packet
rid:0.0.0.2 – This is the Router ID
area:0.0.0.0 – This is the Area. Area 0 in this case.
chksum:0 Checksum of the packet
auth:2 This is the authentication type. There are three types 0- No Auth, 1- Simple Password (also called text) , 2 – cryptographic (also called md5)
keyid:1 This is the keyid
seq:0x5BB8 This is the sequence number
***************************
***************************
Simple Password
***************************
***************************
R2#
*Oct 6 12:49:20.952: OSPF-1 PAK : Et0/0: IN: 192.1.100.3->224.0.0.5: ver:2 type:1 len:52 rid:0.0.0.3 area:0.0.0.0 chksum:A483 auth:1
Et0/0: IN: This is the interface the packet is on and the direction of the packet Ethernet 0/0 in the Inbound direction
192.1.100.3->224.0.0.5: Source/destination. We can see its multicast to 224.0.0.5 since its OSPF
ver:2 OSPF Version. For IPv4 this is version 2
type:1 this is the message type, which is a Hello Packet (Type 1)
len:52 This is the size of the hello packet
rid:0.0.0.3 This is the Router ID
area:0.0.0.0 This is the Area. Area 0 in this case.
chksum:A483 Checksum of the packet
auth:1 This is the authentication type. There are three types 0- No Auth, 1- Simple Password (also called text) , 2 – cryptographic (also called md5)
***************************
***************************
No Authentication configured
***************************
***************************
*Oct 6 14:11:10.979: OSPF-1 PAK : Et0/0: OUT: 192.1.67.7->224.0.0.5: ver:2 type:1 len:48 rid:0.0.0.7 area:0.0.0.0 chksum:EC8D auth:0
Et0/0: OUT: This is the interface the packet is on and the direction of the packet Ethernet 0/0 in the Outbound direction
192.1.67.7->224.0.0.5: Source/destination. We can see its multicast to 224.0.0.5 since its OSPF
ver:2 OSPF Version. For IPv4 this is version 2
type:1 this is the message type, which is a Hello Packet (Type 1)
len:48 This is the size of the hello packet
rid:0.0.0.7 This is the Router ID
area:0.0.0.0 This is the Area. Area 0 in this case.
chksum:EC8D Checksum of the packet
auth:0 This is the authentication type. There are three types 0- No Auth, 1- Simple Password (also called text) , 2 – cryptographic (also called md5)
***************************
***************************
SHA configured
***************************
***************************
*Oct 6 16:10:11.572: OSPF-1 PAK : Et0/0: OUT: 192.1.100.2->224.0.0.5: ver:2 type:1 len:44 rid:0.0.0.2 area:0.0.0.0 chksum:0 auth:2 keyid:5 seq:0x5BB8
Et0/0: OUT: This is the interface the packet is on and the direction of the packet Ethernet 0/0 in the Outbound direction
192.1.100.2->224.0.0.5: Source/destination. We can see its multicast to 224.0.0.5 since its OSPF
ver:2 For IPv4 this is version 2
type:1 this is the message type, which is a Hello Packet (Type 1)
len:44 This is the size of the hello packet
rid:0.0.0.2 This is the Router ID
area:0.0.0.0 This is the Area. Area 0 in this case.
chksum:0 Checksum of the packet
auth:2 This is the authentication type. There are three types 0- No Auth, 1- Simple Password (also called text) , 2 – cryptographic (also called md5 or SHA)
keyid:5 This uses a key chain and therefore has a keyid
seq:0x5BB8
Sample OSPF packet captures
cryptographic (MD5)
Simple passowrd (Clear text)
Null (No Authentication configured)
SHA Authentication
IMPORTANT – With Area Authentication enabled and no password it still changes the Auth Type as shown below. You can see that there is not a password assigned. In this case, if the other side does NOT have authentication enabled then the neighbor relationship will still go down because the Auth Type is not equal.