Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

life time of key in authentication

Hi every body

Let say we ar running eigrp on group of routers. we are using md5 authentication.

I configured the following on all eigrp running routers:

key chain zee

key-string sarah

accept-time 08:00:00 jan 11 2008 08:00:00 jan 11 2009

send-lifetime 08:00:00 jan 11 2009 08:00:00 jan 11 2009

After one year when the key lifetime is expired ,what would happen?

thanks

4 ACCEPTED SOLUTIONS

Accepted Solutions

Re: life time of key in authentication

Sarah,

I would think, although haven't tried it, it wouldn't use that password any longer and your neighbor relationships would be torn down.

You should be able to test this by changing your times around to be only 5 minutes and see if that's the case.

HTH,

John

HTH, John *** Please rate all useful posts ***
Cisco Employee

Re: life time of key in authentication

Hello,

After the lifetime of the key expires, that key becomes essentially unusable for authentication. The EIGRP will thus have no usable key for authentication. As a result, the EIGRP packets will be sent unauthenticated. Neighboring routers that are configured for authentication will not accept unauthenticated packets. The end result will be that the EIGRP adjacencies will be dropped and no routing information will be exchanged.

I have tested this on a two router topology. This is the debug output of one of the routers:

*Mar 1 00:18:22.475: EIGRP: interface Serial1/0, No live authentication keys

*Mar 1 00:18:22.479: EIGRP: Sending HELLO on Serial1/0

*Mar 1 00:18:22.479: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:18:23.491: EIGRP: Serial1/0: ignored packet from 10.0.0.2, opcode = 5 (missing authentication)

*Mar 1 00:18:27.131: EIGRP: interface Serial1/0, No live authentication keys

*Mar 1 00:18:27.135: EIGRP: Sending HELLO on Serial1/0

*Mar 1 00:18:27.135: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:18:28.215: EIGRP: Serial1/0: ignored packet from 10.0.0.2, opcode = 5 (missing authentication)

Notice how the router complains about no usable keys when sending the Hello packet, and about the missing authentication when processing a received Hello packet.

Best regards,

Peter

Cisco Employee

Re: life time of key in authentication

Hello,

You're almost correct. This is the sequence of steps as I see it:

1) After 5 minutes, R1 will start sending unauthenticated hello packets because the key 1 has expired

2) R2 ignores the packets because they are unauthenticated

3) R2 sends hello packets which are authenticated by the key 1 (on R2, the key has not expired for the send operation)

4) R1 accepts hello packets because they are authenticated properly (on R1, the key has not expired for receive operation)

As a result, the R2 will not see R1 in its neighbor table. The R1 will see the R2 in its neighbor table but because any Update packets sent to R2 will be dropped by R2, the R1 will not receive any acknowledgement and will ultimately tear down the adjacency. This process will repeat itself forever and on the R1, the adjacency with R2 will come up, then go down with the "retry limit exceeded" error and back up.

Best regards,

Peter

Cisco Employee

Re: life time of key in authentication

Hello,

I think you meant to say EIGRP instead of OSPF, right?

You got it now. As soon as the authentication for EIGRP is activated on an interface, the router does the following:

1.) When sending EIGRP packets, it tries to find a key to authenticate the packet being sent out. If there is no valid key available, the packet will be sent out unauthenticated.

2.) When receiving EIGRP packets, first drop all packets that are not authenticated at all. The remaining packets that have the authentication field present will be tested against the valid key if the authentication succeeds. If yes, these packets are processed, otherwise, they are dropped.

If a key chain does not contain any time limitation for sending or accepting a key, respectively, then that function of the key is not time limited. You have correctly pointed out that on R1, the key is always valid for testing received packets while on R2, the key is always valid for signing packets being sent out.

The situation may appear as there is a one-way communication between the routers. In reality, however, there is no workable communication between the two. Because of the key validity mismatch between the two routers, the EIGRP adjacency will not be stable (any Update packet sent from R1 to R2 will be dropped by R2 and remain unacknowledged, upon which the R1 will cancel the adjacency with R2).

Best regards,

Peter

8 REPLIES

Re: life time of key in authentication

Sarah,

I would think, although haven't tried it, it wouldn't use that password any longer and your neighbor relationships would be torn down.

You should be able to test this by changing your times around to be only 5 minutes and see if that's the case.

HTH,

John

HTH, John *** Please rate all useful posts ***
Cisco Employee

Re: life time of key in authentication

Hello,

After the lifetime of the key expires, that key becomes essentially unusable for authentication. The EIGRP will thus have no usable key for authentication. As a result, the EIGRP packets will be sent unauthenticated. Neighboring routers that are configured for authentication will not accept unauthenticated packets. The end result will be that the EIGRP adjacencies will be dropped and no routing information will be exchanged.

I have tested this on a two router topology. This is the debug output of one of the routers:

*Mar 1 00:18:22.475: EIGRP: interface Serial1/0, No live authentication keys

*Mar 1 00:18:22.479: EIGRP: Sending HELLO on Serial1/0

*Mar 1 00:18:22.479: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:18:23.491: EIGRP: Serial1/0: ignored packet from 10.0.0.2, opcode = 5 (missing authentication)

*Mar 1 00:18:27.131: EIGRP: interface Serial1/0, No live authentication keys

*Mar 1 00:18:27.135: EIGRP: Sending HELLO on Serial1/0

*Mar 1 00:18:27.135: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:18:28.215: EIGRP: Serial1/0: ignored packet from 10.0.0.2, opcode = 5 (missing authentication)

Notice how the router complains about no usable keys when sending the Hello packet, and about the missing authentication when processing a received Hello packet.

Best regards,

Peter

Bronze

Re: life time of key in authentication

Hi Peter.

How about the following scenario:

R1----R2

R1

key chain zee

key 1

key -string zee

send-lifetime 08:00:00 aug 18 2009 o8:05:00 aug 18 2009

R2

key 1

key-string zee

accept-lifetime 08:00:00 aug 18 2009 08:05:00 aug 18 2009

=================================

Now both routers are configured for md5 authentication.

Here is my understanding based on your reply:

1) After five min, R1 send hello with missing authentication as key 1 has expired.

2) R2 ignores it.

3) R2 sends hello without any authetication

4) R1 receives the hello and processes it.

The end result is hello from r1 to r2 is ignored by R2 but not vice versa.

Is my undestanding correct ?

Thanks a lot.

Cisco Employee

Re: life time of key in authentication

Hello,

You're almost correct. This is the sequence of steps as I see it:

1) After 5 minutes, R1 will start sending unauthenticated hello packets because the key 1 has expired

2) R2 ignores the packets because they are unauthenticated

3) R2 sends hello packets which are authenticated by the key 1 (on R2, the key has not expired for the send operation)

4) R1 accepts hello packets because they are authenticated properly (on R1, the key has not expired for receive operation)

As a result, the R2 will not see R1 in its neighbor table. The R1 will see the R2 in its neighbor table but because any Update packets sent to R2 will be dropped by R2, the R1 will not receive any acknowledgement and will ultimately tear down the adjacency. This process will repeat itself forever and on the R1, the adjacency with R2 will come up, then go down with the "retry limit exceeded" error and back up.

Best regards,

Peter

Bronze

Re: life time of key in authentication

Hi Peter.

Thanks a lot for answering my weird question.

R1 is only configured to send ospf packets with md5 authentication. It is not configured to authenticate received packets, because of the command:

R1

key chain zee

key 1

key -string zee

send-lifetime 08:00:00 aug 18 2009 o8:05:00 aug 18 2009

( there is no command accept -lifetime etc, so R1 is not authenticating any received ospf packets)

Similarly, R2 is not configured to send ospf packets with md5 authentication as it is configured with:

R2

key 1

key-string zee

accept-lifetime 08:00:00 aug 18 2009 08:05:00 aug 18 2009

( here send-lifetime command is not configured)

So R2 is sending packets without any md5 autentication.

If my above understanding is correct,

then R2 's ospf packets to R1 should be accepted but not vice versa. Why? When R1 receives a ospf packet from R2, R1 will not check for md5 authentication as it is not configured ,besides R2 's ospf packets are sent without any md5 authentication.

Is my understanding correct?

thanks

Bronze

Re: life time of key in authentication

Please disregard my last post.

I think i understand what Peter is trying to say

As there is no time configured for R1 to authenticate received ospf packets, that means key 1 lasts for ever as there is no lietime specified to authenticate recieved packets. Similarly, R1 is not configured for any lifetime for R1's ospf sending packets. So R1 sends ospf packet with md5 authentication, R2 receives the ospf packets and authenticates them . The end result there is only way communication(only ospf packets) from R2 to R1 but not vice versa.

Thanks

Cisco Employee

Re: life time of key in authentication

Hello,

I think you meant to say EIGRP instead of OSPF, right?

You got it now. As soon as the authentication for EIGRP is activated on an interface, the router does the following:

1.) When sending EIGRP packets, it tries to find a key to authenticate the packet being sent out. If there is no valid key available, the packet will be sent out unauthenticated.

2.) When receiving EIGRP packets, first drop all packets that are not authenticated at all. The remaining packets that have the authentication field present will be tested against the valid key if the authentication succeeds. If yes, these packets are processed, otherwise, they are dropped.

If a key chain does not contain any time limitation for sending or accepting a key, respectively, then that function of the key is not time limited. You have correctly pointed out that on R1, the key is always valid for testing received packets while on R2, the key is always valid for signing packets being sent out.

The situation may appear as there is a one-way communication between the routers. In reality, however, there is no workable communication between the two. Because of the key validity mismatch between the two routers, the EIGRP adjacency will not be stable (any Update packet sent from R1 to R2 will be dropped by R2 and remain unacknowledged, upon which the R1 will cancel the adjacency with R2).

Best regards,

Peter

Bronze

Re: life time of key in authentication

Thanks a lot Peter. Yes indeed , i meant eigrp not ospf .

460
Views
0
Helpful
8
Replies
CreatePlease login to create content