Routing Protocol Authentication
Authentication is crucial in routing protocols to ensure the
integrity and authenticity of routing updates. Most protocols support different
types of authentication mechanisms like plain text, MD5, and more advanced
cryptographic methods such as HMAC-SHA-256.
EIGRP Authentication
- EIGRP
Authentication: EIGRP supports both MD5 (in classic mode) and
HMAC-SHA-256 (in named mode). Authentication ensures that packets
exchanged between EIGRP neighbors are verified using pre-shared keys.
- Technical
Tip: Use HMAC-SHA-256 in named mode as it is stronger than MD5.
Example configuration for MD5 in classic mode:
key chain EIGRP-R2-R4
key 1
key-string CCIE
!
interface eth0/2
ip authentication
mode eigrp 1 md5
ip authentication key-chain
eigrp 1 EIGRP-R2-R4
Example for HMAC-SHA-256 in named mode:
router eigrp ONE
address-family ipv4
unicast autonomous-system 1
af-interface Ethernet0/2
authentication mode
hmac-sha-256 CCIE
- Technical
Tip: For passwords containing special characters, escape sequences
might be necessary. For example, entering "C?IE" requires
pressing Esc and q before entering the ? character.
OSPF Authentication
OSPF supports three types of authentication:
- Type
0: No authentication.
- Type
1: Plain text authentication.
- Type
2: MD5-based authentication.
- Cryptographic
Authentication: Newer OSPF implementations support SHA-based
authentication, such as HMAC-SHA-256.
OSPF MD5 authentication example:
interface GigabitEthernet0/1
ip ospf
authentication message-digest
ip ospf
message-digest-key 1 md5 OSPF-KEY
Cryptographic authentication example (SHA-256):
key chain OSPF
key 1
key-string CCIE
cryptographic-algorithm hmac-sha-256
interface GigabitEthernet0/1
ip ospf
authentication key-chain OSPF
- Key
Rollover: In MD5-based OSPF, multiple keys can be configured, and
routers go through a key rollover process where the last key added is used
to sign packets, while received packets are authenticated with the key ID
in the packet.
- Virtual
Links: If OSPF authentication is enabled in Area 0, it must also be
enabled on virtual links since they are considered part of Area 0. Virtual
links use demand circuits, suppressing hello messages to avoid keeping the
link up unless there is a topology change.
- Technical
Tip: Be cautious with key numbering in OSPF. The newest key is not
determined by the numeric value but by the order in which it was added.
Comments
Post a Comment