Solved: key chain, order of keys,

sarahr202 · ‎08-29-2009

Hi every body.

Let say i configured a keychain as follows

keychain zee

key 5

key-string zee5

key 4

key-string zee4

key 3

key-string zee3

key 2

key-string zee2

key 1

key-string zee1

1)Will the keys be used in order they were configured or the keys will be used in ascending order i.e key,1,2,3,4 and 5 ?

=====================================

Let say we have two routers which are connected by s0 as shown below:

R1s0------------------s0R2

Both routers are using eigrp and md5 authentication.

R1

keychain zee

key1

key-string cisco1

R2

keychain ruby

key 2

key-string cisco1

2)Can both routers succesfully use md5 considering R1 are using key 1 and R2 using key 2 though both have same string?

===================================

Let say we have keychain as shown below:

keychain zee

key 1

key-string zee1

accept-lifetime 08:15:00 aug 27 2009

send-lifetime 08:16: 00 aug 27 2009

key 2

key-string zee2

accept-lefetime 08: 17: 00 aug 27 2009

send-lifetime 08: 18:00 aug 27 2009

3)My question is when will router start using key 2? will the router start using key 2 when both lifetime for key 1 i.e send lifetime accept lifetime have expired?

4) Is it possoble router can start using key 2 even if one of the time say send lifetime expired but accept life did not for key 1?

thanks and have a good weekend

Peter Paluch · ‎08-29-2009

Hello Sarah,

1.) The keys will be searched in the ascending order, i.e. from 1 to 5. The first valid key will be used for transmission. For receiving, the key number that was used by the sender of the received packet will be included in the packet, therefore, when an authenticated packet is received, the key number inside that packet will indicate which key should be used to verify the authentication.

Quoting from the EIGRP Configuration Guide:

You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters.

2.) No. Both the key numbers and the key strings must match.

3.) Following from the quotation above, the router will start using the key 2 for transmitting packets only when the key 1 becomes invalid for transmitting. There is no confusion about identifying the correct key to use when receiving packets because a received packet contains the key number to use when verifying its authentication.

4.) Yes, it is - the accept-lifetime of the key 1 can be infinite. However, when its send-lifetime expires, the router will no longer consider that key usable for authenticating transmitted packet and will search in ascending order for a new usable key.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎08-29-2009

Hello Sarah,

1.) The keys will be searched in the ascending order, i.e. from 1 to 5. The first valid key will be used for transmission. For receiving, the key number that was used by the sender of the received packet will be included in the packet, therefore, when an authenticated packet is received, the key number inside that packet will indicate which key should be used to verify the authentication.

Quoting from the EIGRP Configuration Guide:

You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters.

2.) No. Both the key numbers and the key strings must match.

3.) Following from the quotation above, the router will start using the key 2 for transmitting packets only when the key 1 becomes invalid for transmitting. There is no confusion about identifying the correct key to use when receiving packets because a received packet contains the key number to use when verifying its authentication.

4.) Yes, it is - the accept-lifetime of the key 1 can be infinite. However, when its send-lifetime expires, the router will no longer consider that key usable for authenticating transmitted packet and will search in ascending order for a new usable key.

Best regards,

Peter