EIGRP MD5 Authentication Configuration

EIGRP MD5 Authentication Configuration

This chapter is about EIGRP MD5 Authentication Configuration on Cisco Router. EIGRP supports authentication of routing protocols using MD5. For better understanding we will share MD5 Authentication examples and Cisco configuration commands for you.

ROUTING PROTOCOL AUTHENTICATION

Network administrators should keep in mind that routers are at the same risk of attacks as devices for end users. Anyone with a packet detector program, such as Wireshark , can read the information that is propagated between the routers. In general, routing systems can be attacked by interrupting peer devices or falsifying routing information.
Peer interruption is the less critical attack of the two, because the routing protocols repair themselves, which makes the interruption only last a little longer than the attack itself. Forgery of routing information is a more subtle attack class that aims at the information that is transported within the routing protocol. The consequences of falsifying routing information are the following:

• Traffic redirection to create routing loops
• Traffic redirection for control on an unsecured line
• Redirect traffic to discard it

One method to protect the routing information of the network is to authenticate the packets of the routing protocol using the message 5 (MD5) synthesis algorithm . MD5 allows routers to compare signatures that should be the same, in order to confirm that they come from a credible origin. The three components of this system are the following:

• Encryption algorithm, generally public knowledge
• Key used in the encryption algorithm, a secret shared by routers that authenticate packets
• Package content

Routing protocols such as RIPv2, EIGRP, OSPF, IS-IS and BGP support various forms of MD5 authentication.

EIGRP CONFIGURATION WITH MD5 AUTHENTICATION

EIGRP message authentication ensures that routers only accept routing messages from other routers that know the same previously shared key. Without configured authentication, if an unauthorized person enters another router with different or conflicting route information, it can damage the routing tables of legitimate routers, which may be accompanied by a DoS attack.
So, when authentication is added to the EIGRP messages that are sent between routers, it prevents someone from adding another router to the network - by the way or by accident - and causing a problem. EIGRP supports authentication of routing protocols using MD5. The configuration of the EIGRP message authentication consists of two steps: the creation of a keychain and a key, and the configuration of the EIGRP authentication to use the keychain and the key.

 STEP 1. CREATE A KEYCHAIN AND A KEY

To function, routing authentication requires a key in a keychain. In order for authentication to be enabled, create a keychain and at least one key.

• to. In global configuration mode, create the keychain. Although several keys can be configured, this section focuses on the use of a single key.

Router (config) # key chain  name-of-chain

• b. Specify the key ID. The key ID is the number used to identify an authentication key within a keychain. The key range is from 0 to 2 147 483 647. It is recommended that the key number be the same on all routers in the configuration.

Router (config-keychain) # key  key-id

• C. Specify the key chain for the key. The key chain is similar to a password. Routers that exchange authentication keys must be configured with the same key chain.

Router (config-keychain-key) # key-string  key-string-text

STEP 2. CONFIGURE EIGRP AUTHENTICATION WITH THE KEYCHAIN AND KEY

Configure EIGRP to perform message authentication with the key defined above. Complete this configuration on all interfaces enabled for EIGRP.

• to. In global configuration mode, specify the interface on which you will configure EIGRP message authentication.

Router (config) # interface  type number

• b. Enable EIGRP message authentication. The md5 keyword indicates that the MD5 hash will be used for authentication.

Router (config-if) # ip authentication mode eigrp  as-number md5

• C. Specify the keychain to be used for authentication. The name-of-chain argument specifies the keychain that was created in step 1.

Router (config-if) # ip authentication key-chain eigrp  as-number name-of-chain
Each key has its own key ID , which is stored locally. The combination of the key ID and the interface associated with the message uniquely identifies the authentication algorithm and the MD5 authentication key in use. The keychain and routing update are processed with the MD5 algorithm to produce a unique signature.

EIGRP AUTHENTICATION EXAMPLE

To authenticate routing updates, all interfaces with EIGRP enabled must be configured to support authentication. In Image, the IPv4 topology and interfaces that have authentication configured are shown.

In 2nd Image, the configuration for router R1 with the EIGRP_KEY keychain and the cisco123 key chain is shown .

Once R1 is configured, the other routers receive authenticated routing updates. Adjacencies are lost until routing protocol authentication is configured in neighbors.

IPV6 EIGRP AUTHENTICATION CONFIGURATION 

The algorithms and the configuration to authenticate EIGRP messages for IPv6 are the same as those corresponding to EIGRP for IPv4. The only difference is that in the commands of the interface configuration mode, ipv6 is used instead of ip .
Router (config-if) # ipv6 authentication mode eigrp  as-number  md5
Router (config-if) # ipv6 authentication key-chain eigrp  as-number name-of-chain
In following Image, the commands for configuring EIGRP authentication for IPv6 on router R1 are shown using the EIGRP_IPV6_KEY keychain and the cisco123 key chain .

Similar configurations are introduced in R2 and R3.

VERIFICATION OF EIGRP AUTHENTICATION

Once EIGRP message authentication is configured on a router, any adjacent neighbor that has not been configured for authentication is no longer an EIGRP neighbor.
For example, when the Serial 0/0/0 interface of R1 was configured with MD5 authentication, but R2 was not yet configured, the following IOS message appeared on R1:
% DUAL-5-NBRCHANGE: EIGRP-IPv4 1: 
Neighbor 172.16.3.2 (Serial0 / 0/0) is 
down: authentication mode changed
When the adjacent Serial 0/0/0 interface is configured on R2, the adjacency is re-established and the following IOS message appears on R1.
% DUAL-5-NBRCHANGE: EIGRP-IPv4 1: 
Neighbor 172.16.3.2 (Serial0 / 0/0) is 
up: new adjacency
Similar messages also appear on R2.
Adjacencies are only formed when both connection devices have authentication configured, as shown in Image.

To verify that the correct EIGRP adjacencies have formed after configuring them for authentication, use the show ip eigrp neighbors command on each router.
In Image, it is shown that the three routers re-established neighbor adjacencies after EIGRP authentication was configured.

Finally, to verify the neighbors of EIGRP neighbors for IPv6, use the show ipv6 eigrp neighbors command .