EIGRP Authentication with SHA-2 256 (Named Mode)

Authentication in EIGRP (Enhanced Interior Gateway Routing Protocol) is a critical aspect of network security. It's important to emphasize that authentication, in this context, focuses on verifying the authenticity of routers and does not provide encryption of the transmitted data. Let's explore the specific details of authentication using SHA-2 256 in 'Named Mode':

Authentication and Encryption Clarification:

• Authentication ensures that routers in the EIGRP network are who they claim to be. However, it does not encrypt the data being transmitted, highlighting the distinction between authentication and encryption.

EIGRP 'Named Mode' Authentication:

• In EIGRP 'Named Mode,' as discussed in RFC 7868: Section 6.7.2 and 7.0, SHA-2 256 authentication is supported. Notably, SHA-2 256 is a more robust authentication method compared to MD5, which is commonly used in 'Classic Mode.' 'Named Mode' does not offer support for SHA-2 authentication in 'Classic Mode.'

• To facilitate secure authentication and key management, EIGRP in 'Named Mode' employs key chains, allowing for key rotation and enhanced security. It's important to remember that the key chain name does not need to match between routers, but the key number and key string must match. Only one valid key number is used at any given time, and extra attention should be given to ensure there are no trailing white spaces in the key-string value.

SHA-2 Authentication Type:

• SHA-2 authentication is identified in EIGRP as TLV Authentication Type 'value' 0x03. This value is distinct from the TLV 'Type' value, which is 0x0003.

• If the hash generated by SHA-2 256 authentication does not match the received hash, EIGRP Hello packets are dropped, indicating a potential authentication issue.

Authentication Rules:

• When sending authenticated packets, the key with the lowest key number among all your keys is the one used for generating the hash and is sent along with the packet.

• When receiving authenticated packets, the SHA-256 digest is checked against all currently valid keys to ensure the authenticity of the received packet.

Configuration:

To configure EIGRP authentication and key management with SHA-2 256 in 'Named Mode,' the following steps are typically followed:

1. Create a key chain using the command key chain [name].
2. Define a key within the key chain using the command key [#].
3. Specify the key string using the command key-string [string].
4. Optionally, set key lifetime parameters using [send-lifetime] and [accept-lifetime].

• Under the interface configuration, there are two options for authentication:

  • Without using key chains: Configure authentication mode using authentication mode hmac-sha-256 [pre-shared-key/password].

  • With the use of key chains: Configure authentication key-chain using authentication key-chain [key chain name] and authentication mode using authentication mode hmac-sha-256 [pre-shared-key/password].

Verification:

To verify and monitor EIGRP authentication and key management with SHA-2 256, consider using the following commands:

• show ip eigrp neighbor [detail]: This command displays detailed information about EIGRP neighbors, including their authentication status.

• show ip eigrp interface [detail]: Use this command to view detailed information about EIGRP interfaces, including their configuration and authentication status.

• show key chain: This command provides insights into the configured key chains and associated key details.

• debug eigrp packets [terse] [detail]: Enabling this debug command allows for in-depth monitoring of EIGRP packets, including authentication-related details, for diagnostic purposes.

In conclusion, EIGRP authentication using SHA-2 256 in 'Named Mode' enhances network security. Understanding key chains, key numbers, and key strings is crucial for proper configuration. SHA-2 256 authentication ensures the authenticity of transmitted EIGRP packets, and careful management is required to maintain secure communication between routers.