Authentication Methods

  • How does plain text authentication work in case of routing updates?
    • The routing updates have a key and a key number. (In case a routing protocol does not support multiple keys the key number = 0 )
    • The other router receives the key and compares with it’s own.
    • If the keys and key numbers match it receives the update.
  • Which routing protocols support plain text authentication?
    • RIPv2, OSPFv2, IS-IS
  • How does Hashing authentication work in case of routing updates?
    • A hashing algorithm is run on a routing update using the configured key. The result is added to the end of the routing update.
    • The neighbor runs hashing algorithm on the received update and it’s local key which result a hash digest.
    • If the created hash digest matches with the received hash digest then the router accepts the update.
  • What is a key chain? What are it’s advantages?
    • It is a collection of keys, each identified with a key ID that is associated.
    • Each key can be configured to be used in a specified timewindow = time-based key chain.
  • How do you configure time-based key chain?
    • key chain R1KEYCHAIN
        key 1
           key-string Cisco  // password of key 1
           accept-lifetime 01:00:00 April 1 2014 01:00:00 May 2 2014
           send-lifetime 01:00:00 April 1 2014 01:00:00 May 2 2014
        key 2
           key-string Juniper
           accept-lifetime 01:00:00 April 1 2014 infinite
           send-lifetime 01:00:00 April 1 2014 infinite

EIGRP Authentication

  • What packets are authenticated when EIGRP authentication active?
    • All EIGRP messages.
    • The routers use the same preshared key (PSK) and generate an MD5 digest for each EIGRP message based on the PSK.
  • What kind of security does EIGRP authentication gives?
    • It helps to prevent DoS attacks
    • Other devices (not neighbors) can read the EIGRP messages
    • however they cannot form neighborship
  • How do you configure EIGRP for IPv4 authentication? 
    • key chain R1KEYS
        key 1
           key-string DRIZZT
        key 2
           key-string GERALT
      !
      interface Fa0/0
        ip authentication mode eigrp 1 md5
        ip authentication key-chain eigrp 1 R1KEYS
    • ip authentication mode eigrp ASN md5
      ip authentication key-chain eigrp ASN  name-of-keychain
    • Note: In this example key 2 will never be used. If key 1 not matching then it wont check key 2. Multiple keys are useful if you configure lifetime too.
  • How do you configure EIGRP for IPv6 authentication?

    • key chain R1KEYS
        key 1
           key-string DRIZZT
      !
      interface Fa0/0
        ipv6 eigrp 1
        ipv6 authentication mode eigrp 1 md5
        ipv6 authentication key-chain eigrp 1 R1KEYS
    • ipv6 authentication mode eigrp ASN md5
      ipv6 authentication key-chain eigrp ASN  name-of-keychain 
  • How do you configure named EIGRP authentication? 
    • key chain R1KEYS
        key 1
           key-string DRIZZT
      !
      router eigrp EIGRP-DEMO
      !
        address-family ipv4 unicast autonomous-system 2
        !
        af-interface Fa0/0
          authentication mode md5
          authentication key-chain R1KEYS
        exit-af-interface
        !
        network 0.0.0.0
      exit-address-family

OSPF Authentication

  • What packets are authenticated when OSPF authentication active?
    • As in the case of EIGRP, all OSPF messages are checked.
  • What type of authentications exist in OSPF?
    • Type 0 = no authentication
    • Type 1 = plain text authentication (OSPFv3 does not support it)
    • Type 2 = Hashing authentication
  • Where and how can you configure plain text authentication?
    • You can configure it either on interface or an OSPF area
    • !R1
      interface Fa0/0
        ip address 10.0.0.1 255.255.255.0
        ip ospf authentication-key KEYLIME
      !
      router ospf 1
        area 0 authentication  // enables authentication on an area
      
      !R2
      interface Fa0/0
        ip address 10.0.0.2 255.255.255.0
        ip ospf authentication   // enable authentication on an individual interface
        ip ospf authentication-key KEYLIME
      
      
  • What is the difference between plain text and MD5 authentication in OSPF?
    • MD5 hash is calculated using the key-string (up to 16 characters) and they key-id
    • you could have a separate key for each interfaces
  • How do you configure MD5 authentication?
    • !R1
      interface Fa0/0
        ip address 10.0.0.1 255.255.255.0
        ip ospf message-digest-key 1 md5 KEYLIME
      !
      router ospf 1
        area 0 authentication message-digest //enable MD5 auth for all area 0
        network 0.0.0.0 255.255.255.255 area 0
      
      !R2
      interface Fa0/0
        ip address 10.0.0.2 255.255.255.0
        ip ospf authentication message-digest //enable MD5 auth for interface
        ip ospf message-digest-key 1 md5 KEYLIME
      !
      router ospf 1
        network 0.0.0.0 255.255.255.255 area 0
  • How do you verify which type of authentication is used on the interface?
    • sho interface interface-id 
  • How does OSPFv3 authentication work?
    • OSPFv3 using IPSEC for authentication and Encapsulating Security Payload (ESP) for authentication and encryption:
      ipv6 ospf authentication = only authentication
      ipv6 ospf encryption = authentication and encryption using ESP
  • How do you configure OSPFv3 authentication?
    • !R1
      interface Fa0/0
        ipv6 address 2002::1/64
        ipv6 ospf 2 area 0
      !
      ipv6 router ospf 2
        router-id 1.1.1.1
        area 0 authentication ipsec spi 256 sha1 0123456789012345678901234567890123456789
      
      
      !R2
      interface Fa0/0
        ipv6 address 2002::2664
        ipv6 ospf authentication ipsec spi 256 sha1 0123456789012345678901234567890123456789
        ipv6 ospf 2 area 0
      !
      ipv6 router ospf 2
        router-id 2.2.2.2
    • Similar to previous configurations OSPFv3 security can be configured under interface and router ospf section too.
      area area-number authentication ipsec spi security-policy-index md5/sha1  0/7 key-string 

      ipv6 ospf authentication ipsec spi security-policy-index md5/sha1  0/7 key-string

  • How can you verify OSPFv3 authentication?
    • show crypto ipsec sa interface interface-id

BGP Authentication

  • What is the difference between IGP and BGP security?
    • BGP specifies the neighbor there is a smaller chance for threats. The existing TCP session still can get hijacked.
  • What type of security does BGP use?
    • There is no plain text or SHA authentication only MD5 !!
  • How do you configure IPv4 BGP authentication?
    • neighbor neighbor-IP password key-string 
  • How do you configure IPv6 BGP authentication?
    • neighbor neighbor-IPv6 password key-string
Advertisements