2. Serious and potentially catastrophic problems can occur in your network if
a routing protocol failure where to happen, but as bad or worse is an attack on you
routing protocol. You can prevent your router from receiving fraudulent route
updates by configuring neighbor router authentication. Routing Information
Protocol version two (RIPv2), Enhanced Interior Gateway Routing Protocol
(EIGRP) and Open Shortest Path First (OSPF) routing protocols all support types
of neighbor authentication. Which is also called neighbor router authentication or
route authentication.
Route authentication can be configured so that only routers with predefined
passwords can participate in the routing process.
By default, no authentication is used in routing protocols. When route
authentication is configured on a router, the router authenticates each routing
update packet that it receives. The router does this with the exchange of an
authentication key (also called a password) that is known to both the sending and
the receiving router. You can configure one of two types of authentication; either a
simple password authentication (often called plain-text authentication) or MD5
authentication.
Simple password authentication is supported by Integrated System-
Integrated System (IS-IS), Open Shortest Path First (OSPF), and Routing
Information Protocol version 2 (RIPv2). MD5 authentication is supported by
OSPF, RIPv2, Border Gateway Protocol (BGP), and EIGRP. For the CCNA
objectives and the topics covered in this book, we are only going to cover RIPv2,
EIGRP and OSPF.
Simple password authentication is just that simple. A password or key must
be configured on each participating neighbor router and the key must be the same.
MD5 authentication is cryptographic in its operation. By cryptographic I
mean a key or password and a key ID are configured on each router. The router
uses an algorithm based on the routing protocol packet, the key, and the key ID to
generate a digest or hash. The hash is then appended to the packet. MD5
authentication is stronger than simple authentication because the key is never sent
over the wire. This method ensures that no one can listen on the line and learn the
key during transmission.
For the sample configurations of each of the following routing protocols,
the following figure will be the network used.
RouterA RouterB
S0/0/0
S0/0
Lo0
Lo0
Network 10.0.0.0/24Network 10.1.1.0/24 Network 10.2.2.0/24
3. The following is the configuration required for simple password
authentication on Router A in the sample network. This first portion of the
configuration is establishing the key chain, key and key string. The key chain is
basically like a container that holds the keys to be used by the authentication
process. Just like your key chain that has your house and car keys on it. On that
key chain you can have multiple keys, one for the car and one for the house and so
on. So in the key chain you have to define your key. The key has an ID, in my
configuration I used a key ID on 1. In simple text authentication the key chain
number or name and the key ID do not have to be the same on both routers, but
when we get to MD5 authentication the key ID must be the same as it is used in
the hash. Finally, the last this to define is what the key looks like; this would be
like you deciding how many teeth are going to be on your car key. For route
authentication that is called the key string.
RouterA(config)#key chain ccna
RouterA(config-keychain)#key 1
RouterA(config-keychain-key)#key-string ccna
RouterB(config)#key chain ccna
RouterB(config-keychain)#key 1
RouterB(config-keychain-key)#key-string ccna
This has established all the pieces required for authentication to work; now
you have to tell the router to use the keys for authentication. For each of the
routing protocols that looks like this:
RIPv2
RouterA(config)#int s0/0/0
RouterA(config-if)#ip rip authentication key-chain ccna
RouterB(config-if)#int s0/0
RouterB(config-if)#ip rip authentication key-chain ccna
EIGRP
RouterA(config)#int s0/0/0
RouterA(config-if)#ip authentication key-chain eigrp 1 ccna
RouterB(config)#int s0/0
RouterB(config-if)#ip authentication key-chain eigrp 1 ccna
4. OSPF
RouterA(config)#int s0/0/0
RouterA(config-if)#ip ospf authentication-key ccna
RouterB(config)#int s0/0
RouterB(config-if)#ip ospf authentication-key ccna
Now you have completed the configuration for simple password
authentication. The nice thing is that most of the work is already done to use MD5
authentication as well. All you have to add at this point is a command to change
the mode in each of the routing protocols so that it will use the upgraded process.
RIPv2
In RIPv2, you need only add this command to change the mode of
authentication. Everything that we have already configured will stay the same.
RouterA(config)#int s0/0/0
RouterA(config-if)#ip rip authentication mode md5
RouterB(config-if)#int s0/0
RouterB(config-if)#ip rip authentication mode md5
EIGRP
In EIGRP, again everything up to now will stay the same. You just have to
add this command to change the mode.
RouterA(config)#int s0/0/0
RouterA(config-if)#ip authentication mode eigrp 1 md5
RouterB(config)#int s0/0
RouterB(config-if)#ip authentication mode eigrp 1 md5
OSPF
In OSPF, the command to enable authentication for MD5 is not just a mode
change command. Rather everything is done in one command. So the previous
authentication command will be replaced by the following one for MD5
authentication.
RouterA(config)#int s0/0/0