CCNP-Studies
Routing
1-EIGRP
8 Classic Mode Authentication

EIGRP Authentication Essentials

Authentication in EIGRP (Enhanced Interior Gateway Routing Protocol) is a crucial aspect of network security. It's important to understand that while authentication ensures the authenticity of EIGRP routers, it does not provide encryption of the transmitted data. Let's delve into the details:

Authentication vs. Encryption:

  • Authentication is a process that verifies the identity of routers in the EIGRP network. It ensures that routers are who they claim to be. However, it does not encrypt the data being transmitted; it merely validates the source of the data.

  • To achieve authentication in EIGRP, a pre-shared key is used to generate an MD5 digest or hash value. This hash value is then used to verify the authenticity of EIGRP packets.

EIGRP 'Classic Mode' Authentication:

  • In EIGRP 'Classic Mode,' which is discussed in RFC 7868: Section 6.7.2 and 7.0, only MD5 authentication is supported. Classic Mode does not offer support for newer encryption algorithms like SHA-2.

  • Key chains are used in EIGRP to facilitate key rotation and management. It's important to note that the key chain name does not need to match between routers, but the key number and key string must match. Only one key number is used at any given time.

  • Care should be taken to ensure that there are no 'trailing' white spaces in the key-string value, as this can affect authentication.

MD5 Authentication Type:

  • MD5 authentication is identified in EIGRP as TLV Authentication Type 'value' 0x02. This value should not be confused with the TLV 'Type' value, which is 0x0002.

  • If the hash generated by the MD5 authentication process does not match the received hash, EIGRP Hello packets are dropped, indicating a potential authentication issue.

Authentication Rules:

  • When sending authenticated packets, the key with the lowest key number among all your keys is the one used for generating the hash and is sent along with the packet.

  • When receiving authenticated packets, the MD5 digest is checked against all currently valid keys to ensure the authenticity of the received packet.

Configuration:

  • To configure EIGRP authentication and key management, the following steps are typically followed:

    1. Create a key chain using the command key chain [name].
    2. Define a key within the key chain using the command key [#].
    3. Specify the key string using the command key-string [string].
    4. Optionally, set key lifetime parameters using [send-lifetime] and [accept-lifetime].

  • Under the interface configuration, enable EIGRP MD5 authentication using the commands ip authentication mode eigrp [as#] md5 and ip authentication key-chain eigrp [as#] [pre-shared-key].

Verification:

To verify and monitor EIGRP authentication and key management, the following commands can be used:

  • show ip eigrp neighbor [detail]: This command displays detailed information about EIGRP neighbors, including their authentication status.

  • show key chain: Use this command to view the configured key chains and associated key details.

  • debug eigrp packets [terse] [detail]: Enabling this debug command allows you to closely monitor EIGRP packets, including authentication-related details, for diagnostic purposes.

In conclusion, EIGRP authentication is an essential aspect of securing EIGRP networks. Understanding key chains, key numbers, and key strings is crucial for proper configuration. MD5 authentication ensures the authenticity of transmitted EIGRP packets, and vigilance is required to maintain secure communication between routers.

7 Sia Query and Reply9 Named Mode