Routing Protocol Authentication – MD5

Network security is an important consideration for network administrators. The router install in a public network is at risk each time, anyone with a packet sniffer can read information propagating between routers. The router can be attacked through the interruption of peer devices or the falsifying of routing information. Interruption of peers is less critical than the falsification because routing protocols restore themselves from interruption. So, the falsification of routing information is attractable for attackers. The falsifying routing information can redirect traffic to create routing loops, monitor the traffic on an insecure line and discard the traffic to false redirection.

We can protect routing information on the network to authenticate routing protocol packets using the Message Digest 5 (MD5) algorithm. The router enabled with MD5 authentication compare signatures that should all be the same which confirm the realistic source. The components of the MD 5 authentication are:

  • Encryption algorithm
  • Secret Key used in the encryption algorithm.
  • Contents of the packet itself

In the MD 5 authentication, the source of the routing information builds a signature using the key including routing data. The signature including data is then sent as inputs to the encryption algorithm of destination router as routing updates. The receiving router then repeats the process using the same key and the same routing data it has received. If the received signature to the receiver is the same as the signatures of the receiver, the received update is authenticated and considered trustworthy. Routing protocols such as RIPv2, EIGRP, OSPF, IS-IS, and BGP all support a variety of forms of MD5 authentication.

Configuring EIGRP with MD5 Authentication

Routers configured with EIGRP message authentication only accept routing messages from other routers that know the same pre-shared key. If authentication is not configured on the router an unauthorized individual can introduce an additional router with different or inconsistent route information on the network. The routing tables on the valid routers can become damaged and a DoS attack may result. MD 5 authentication prevents someone from deliberately, or unintentionally, adding another router to the network and causing a problem. The configuration of EIGRP message authentication has two steps

  • Creation of a keychain and key
  • Configuration of EIGRP authentication to use that keychain and key.

Create a Keychain and Key

Before routing, authentication can be enabled, create a keychain and at least with one key.  To create a key chain use the following commands in global configuration mode.

Router(config)# key chain <name-of-chain>

The key ID is the number to identify key within a keychain. The range of key IDs is from 0 to 2,147,483,647. It is suggested that the key number be the same on all routers in the configuration.

Router(config-keychain)# key <key-id>

Specify the key string for the key which is similar to a password. The string must be same for the routers exchanging authentication keys.

Router(config-keychain-key )# key-string <key-string-text>

Configure EIGRP Authentication Using Keychain and Key

Configure EIGRP with a previously defined key to perform message authentication. In the interface configuration mode configure EIGRP message authentication with MD 5 hashtag, which indicates that the MD5 hash is to be used for authentication. Also, specify the keychain that should be used for authentication. The name-of-chain specifies the keychain that was created in Step 1.

Router(config-if)# ip authentication mode eigrp as-number md5

Router(config-if)# ip authentication key-chain eigrp as-number name-of-chain

All keys are configured with his key ID, which is stored locally. The group of the key ID and the interface connected with the message uniquely identifies the authentication algorithm and MD5 authentication key in use. The keychain including the routing update is processed using the MD5 algorithm to produce a unique signature.

Example of EIGRP Authentication

All EIGRP-enabled interfaces must be configured to support authentication Figure 1 illustrates the MD-5 authentication configuration. The topology is previously configured with EIGRP and the network is fully converged. When we apply the command “ ip authentication mode eigrp 100 md5”. The DUAL displayed a message that the neighbor adjacency has changed to down, because of authentication mode change, the message is also displayed on R2.

Routing Protocol Authentication - MD5 3

Figure 2 shows the configuration for router R2 using the KEY_EIGRO keychain and the cisco_cisco key string. After R2 is configured, the other routers receive authenticated routing updates. The DUAL message is again displayed on both routers that the adjacencies are again changed state to up because now both side is configured with the same authentication keys and key chain.

Routing Protocol Authentication - MD5 4

Configuring EIGRP for IPv6 Authentication

We can configure and authenticate the EIGRP for IPv6 using the same commands. The only difference is the interface configuration mode commands use “ipv6” as an alternative of “ip”. The command syntax is following.

Router(config-if)# ipv6 authentication mode eigrp <as-number> md5

Router(config-if)# ipv6 authentication key-chain eigrp <as-number> <name-of-chain>

Verify Authentication

When EIGRP message authentication is configured on one router, any adjacent neighbors that have not yet been configured for authentication change the adjacencies to down. In the above example when R1 is configured for MD5 on serial 0/0/0, but at the time R2 was not configured at that time, the following message appeared on R1 and also on R2:

%DUAL-5-NBRCHANGE: IP-EIGRP(0)100: Neighbor is down: authentication mode changed

When the adjacent router serial 0/0/0 interface is configured, the adjacency is re-established and the following message is displayed on both R1 and R2:

%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor is up new adjacency

If authentication is not configured on both side the adjacencies are not formed. It is important that same authentication must be configured on both sides. We can verify the authentication configuration using a “show ip eigrp neighbors” command on each router to verify the neighbor adjacencies. We can also verify the EIGRP for IPv6, using the “show ipv6 eigrp neighborscommand.