Authentication Methods

• Plain text authentication
• Hashing authentication: MD5 and SHA

Plain text authentication

Step 1. A routing update is sent from one router to another. That routing update includes a key (that is, a password) and a key number, because some routing protocols support the configuration of multiple keys.

Note that if a routing protocol does not support multiple keys, the key number associated with a routing update is 0.

Step 2. A neighboring router receives the routing update. That router determines whether the received key matches its configured key (with a matching key number).

Step 3. If the neighboring router determines that the keys match, it accepts the routing update. However, the routing update is rejected if the keys do not match.

can configure with plain text authentication are
■ Routing Information Protocol version 2 (RIPv2)
■ Open Shortest Path First version 2 (OSPFv2)
■ Intermediate System–to–Intermediate System (IS-IS)

Hashing Authentication

hashing authentication never transmits a key across a network, instead sending the hash digest.

Following procedure that can generally be summarized as follows:
Step 1. A hashing algorithm is run on a routing update along with a router’s configured key. The result of the hashing algorithm (that is, the hash digest) is added to the end of the routing update, which is then sent to a neighboring router.

Step 2. The neighboring router receives the update and runs a hashing algorithm on the routing update combined with its locally configured key, which results in a hash digest.

Step 3. If the locally configured hash digest matches the received hash digest, the receiving router accepts the packet. If the independently calculated hash digest values do not match, the update is rejected.

 Protocols that can use hashing method:

Key chains

The probability that a shared secret key will be learned increases with time.

Fortunately, you can configure time-based key chains. A key chain is a collection of keys, each identified with a key ID, that is associated with an interface. A time-based key chain not only includes a collection of keys and key IDs, but it also includes key lifetimes. These lifetimes dictate the periods of time when a router will send a specific key and when a router will accept a specific key.

The period of time during which a router will accept a specific key is called the accept lifetime,

while the period of time during which a router will send a specific key is called the send lifetime.

Syntax:

The two time after the accept-lifetime and send-lifetime are the starting and ending time.

Note: To make sure that there is never a period of time when no key is active, you should configure your key lifetimes to overlap. If a router sends an update at a time when multiple keys are active, the router uses the key with the lowest key ID.

Eg.

!Configuration on Router R1
R1# conf term
R1(config)# key chain R1KEYCHAIN
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string PRIMARY_KEY
R1(config-keychain-key)# accept-lifetime 01:00:00 April 1 2014 01:00:00 May 2 2014
R1(config-keychain-key)# send-lifetime 01:00:00 April 1 2014 01:00:00 May 2 2014
R1(config-keychain-key)# exit
R1(config-keychain)# key 2
R1(config-keychain-key)# key-string SECONDARY_KEY
R1(config-keychain-key)# accept-lifetime 01:00:00 May 1 2014 infinite
R1(config-keychain-key)# send-lifetime 01:00:00 May 1 2014 infinite
R1(config-keychain-key)# end
R1#
!Configuration on Router R2
R2# conf term
R2(config)# key chain R2KEYCHAIN
R2(config-keychain)# key 1
R2(config-keychain-key)# key-string PRIMARY_KEY
R2(config-keychain-key)# accept-lifetime 01:00:00 April 1 2014 01:00:00 May 2 2014
R2(config-keychain-key)# send-lifetime 01:00:00 April 1 2014 01:00:00 May 2 2014
R2(config-keychain-key)# exit
R2(config-keychain)# key 2
R2(config-keychain-key)# key-string SECONDARY_KEY
R2(config-keychain-key)# accept-lifetime 01:00:00 May 1 2014 infinite
R2(config-keychain-key)# send-lifetime 01:00:00 May 1 2014 infinite
R2(config-keychain-key)# end
R2#

EIGRP authentication

EIGRP authentication causes routers to authenticate every EIGRP message. 

From a design perspective, EIGRP authentication helps prevent denial of service (DoS) attacks, but it does not provide any privacy. Because the message’s MD5 digest does not pass the authentication checking based on the local copy of the key, the router silently discards the message.

EIGRP for IPv4 Authentication

The EIGRP for IPv4 authentication configuration process requires a few steps, which are summarized as follows:
Step 1. Create a key chain. (This procedure was discussed in the earlier section “Authentication Methods.”)

Step 2. Enable EIGRP MD5 authentication on an interface, for a particular EIGRP autonomous system number (ASN), using the ip authentication mode eigrp asn md5 interface subcommand.

Step 3. Refer to the correct key chain to be used on an interface using the ip authentication key-chain eigrp asn name-of-chain interface subcommand.

The show key chain command can be used to view the details of any configured key chains. Also, you can issue the show ip eigrp neighbors command to confirm that expected EIGRP neighborships have been formed.

EIGRP for IPv6 Authentication

Configuring authentication for EIGRP for IPv6 is nearly identical to configuring authentication for EIGRP for IPv4. The only difference is change ip into ipv6.

Named EIGRP Authentication

The configuration of Named EIGRP authentication is very similar to the authentication configuration of EIGRP for IPv4. After configuring a key chain, you enter the authentication mode {md5 | hmac-sha-256} command in address family interface configuration mode. Finally, still in address family interface configuration mode, you enter the authentication key-chain name-of-chain command. Following are the steps:

Step 1. Create a key chain.

Step 2. Enable authentication for Named EIGRP in address family interface configuration mode, using the command authentication mode {md5 | hmac-sha-256}.

Step 3. Refer to the correct key chain to be used, while still in address family interface configuration mode, with the command authentication key-chain nameof-chain.

OSPF authentication

OSPF authentication causes routers to authenticate every OSPF message. To do so, the routers use the same preshared key value. This key might be in plain text, or it might be a hash digest from either the MD5 hashing algorithms.

Plain Text authentication

Step 1. Plain text authentication must be enabled for either an interface or an OSPF area:

■ Enable per interface using the ip ospf authentication interface subcommand.
■ Enable on all interfaces in an area by changing the area-wide authentication setting using the area area-number authentication subcommand under OSPF router configuration mode.

These two approaches are compatible with one another, and a neighborship successfully forms.

Step 2. The authentication keys must be configured per interface, using the ip ospf authentication-key name-of-key interface subcommand.

Note: OSPFv3 does not support the plain text authentication supported by OSPFv2. The maximum length of the authentication key is eight characters. If you enter a longer key, it will automatically be truncated to eight characters.

Verify:

The show ip ospf interface interface_identifier command can be used to confirm that plain text authentication (referred to as simple password authentication in Cisco IOS command output) is enabled on an interface.

Of course, you could also use the show ip ospf neighbor command to confirm that a neighborship exists between two routers.

OSPFv2 MD5 Authentication

OSPFv2 MD5 authentication allows a key length of 16 characters. This key, along with the key ID, is used to calculate the MD5 hash for each OSPF packet. Also, you could (but are not required to) have a separate key string for each interface.

Step 1. Plain text authentication must be enabled for either an interface or an OSPF area:

■ Enable per interface using the ip ospf authentication message-digest interface subcommand.
■ Enable on all interfaces in an area by changing the area-wide authentication setting using the area area-number authentication message-digestsubcommand under OSPF router configuration mode.

Step 2. The authentication keys must be configured per interface, using the ip ospf message-digest-key key-id md5 name-of-key interface subcommand.

Note: The youngest key ID appearing in the output of the show ip ospf interface interface_identifier command is not necessarily the lowest key ID. Rather it is the key that has been most recently configured, regardless of its key ID.

OSPFv3 Authentication

OSPFv3 has no authentication field in its headers. So, rather than using any authentication mechanism natively built into OSPFv3, it relies on IPsec to provide authentication. IPsec is capable of encrypting messages in addition to authenticating them. The Authentication Header (AH) encapsulation type for IPsec provides authentication services, but no encryption, while Encapsulating Security Payload (ESP) provides both authentication and encryption services.

The ipv6 ospf authentication command enables the use of AH to provide authentication, while the ipv6 ospf encryption command enables authentication and encryption services through ESP.

In addition to specifying whether you want to just perform authentication or also perform encryption, you need to specify an identifier called the security policy index (SPI) and a key string. The combination of an SPI and a key string is called a security policy.

 area area_number authentication ipsec spi security_policy_index [md5 | sha1] {0 | 7} key-string 

Notice that you can specify either md5 or sha1 as your hashing algorithm. After specifying the algorithm you want to use, you can enter a 0 to indicate that you do not want your key string encrypted when it appears in your router’s running configuration.
Alternately, you can select a 7 if you do want it to appear encrypted. Finally in this command, you enter the key string, which is a  hexadecimal number.

If you are using MD5 as your hashing algorithm, the key string must be 32 hexadecimal digits. However, if you
selected SHA1, the key string must be 40 hexadecimal characters.

OSPFv3:

If you are configuring OSPFv3 authentication in interface configuration mode, then the command you issue is

ipv6 ospf authentication ipsec spi security_policy_index [md5 | sha1] {0 | 7} key-string

Because OSPFv3 authentication is based on IPsec, you can verify the authentication configuration with the command show crypto ipsec sa interface interface_identifier.

Eg.

!Configuration on Router R1
interface Serial1/0
ipv6 address 2002::1/64
ipv6 ospf 2 area 0
!
ipv6 router ospf 2
router-id 1.1.1.1
area 0 authentication ipsec spi 256 sha1 0123456789012345678901234567890123456789
!

!Configuration on Router R2
interface Serial1/0
ipv6 address 2002::2/64
ipv6 ospf authentication ipsec spi 256 sha1
0123456789012345678901234567890123456789
ipv6 ospf 2 area 0
!
ipv6 router ospf 2
router-id 2.2.2.2

BGP authentication

IPv4 BGP authentication

BGP does not require a series of configuration steps. Rather, BGP can be enabled on a router with a single command in BGP router configuration mode:

neighbor neighbor-ip password key

IPv6 BGP Authentication

The procedure to configure BGP authentication on an IPv6 network is identical to the procedure previously seen for IPv4. Specifically, you issue the  command in BGP router configuration mode:

neighbor neighbor-ip password key

Verify:

show bgp ipv6 unicast summary