What are the benefits of using EIGRP authentication?

EIGRP is one of the routing protocols that can be adjusted to avoid receiving erroneous routing updates. Someone could try to build an EIGRP neighbor adjacency with one of your routers if you don't employ authentication and you're using EIGRP.

Isn't that something we'd rather avoid?

You can prevent your router from getting fake route updates by activating neighbor router authentication. EIGRP authentication (also known as neighbor router authentication or route authentication) allows routers to participate in routing using specified passwords.

What is router authentication, and how does it work?

Neighbor router authentication can be set up such that routers can only participate in routing if they know the credentials.

Routing protocol packets are not authenticated by default. When a router's neighbor router authentication is enabled, the router verifies the source of each routing update packet it receives. This is performed by the exchange of an authentication key (sometimes known as a password) between the sending and receiving routers.

There are two forms of authentication used by the router:

Integrated System-Integrated System (IS-IS), Open Shortest Path First (OSPF), and Routing Information Protocol Version 2 (RIPv2) provide simple password authentication (also known as plain text authentication).
MD5 authentication is supported by OSPF, RIPv2, BGP, and EIGRP.

The only difference between the two methods of authentication is that MD5 provides a message digest rather than the authenticating key itself.

The key or key ID is used to construct the message digest, but it is not sent and hence cannot be read during transmission. With simple password authentication, the authenticating key is sent over the wire.

It's worth mentioning here, that simple password authentication is not recommended as part of your security strategy.

The password on the wire might be easily viewed by anyone with a link analyzer. Simple password authentication is mostly used to prevent unintentional changes to the routing architecture. Using MD5 authentication, on the other hand, is a security best practice.

The keys used in neighbor authentication, like other keys, passwords, and other security secrets, must be carefully guarded.

This feature's security benefits are contingent on keeping all authenticating keys private. Also, don't overlook the risk of sending keys over nonencrypted Simple Network Management Protocol SNMP when conducting router administration duties via SNMP.

A password (key) is configured on a router with basic password authentication; each participating neighbor router must be configured with the same key.

MD5 is a type of cryptographic authentication. Each router has a key (password) and a key ID specified. The router generates a message digest (also known as a hash) that is attached to the packet using an algorithm based on the routing protocol packet, the key, and the key ID.

Unlike simple authentication, the key is not communicated over the wire; instead, the message digest is sent, ensuring that no one can listen in on the connection and learn keys during transmission.

Also Read:

EIGRP HMAC-SHA-256 Authentication

MD5 Authentication in EIGRP

EIGRP packets do not require authentication by default. EIGRP can be set up to use MD5 authentication.

When a router is configured with EIGRP authentication, it verifies the source of each routing update packet it receives. Unauthorized or fake routing messages from unapproved sources are prevented via the MD5 coded digest in each EIGRP packet.

Both the sending and receiving routers must have an authenticating key and a key ID configured for EIGRP MD5 authentication. Each key has a unique key ID that is saved locally. The authentication algorithm and MD5 authentication key in use are uniquely identified by the combination of the key ID and the interface associated with the message.

EIGRP permits key chains to be used to manage keys. Within the key chain, each key definition can define a time interval for which the key will be enabled (known as its lifetime). Then, during the lifetime of a particular key, routing update packets with this activated key are transmitted.

Regardless of how many valid keys exist, only one authentication packet is provided. The software looks at the key numbers in order of lowest to the highest value, then chooses the first one that is correct.

EIGRP Keys are an important point to remember.

You specify the key ID (number), the key (password), and the key's lifetime when configuring EIGRP authentication. It is utilized the first (by key ID) and valid (by lifespan) key.

Keys can't be utilized if they haven't been activated for a certain amount of time. As a result, it is recommended that key activation timings overlap for a specific key chain to avoid any periods of time when no key is triggered. If no key is enabled for a length of time, neighbor authentication cannot take place, and routing updates will fail.

In order to rotate through keys in time with the other participating routers, the router must be aware of the time. This ensures that all routers are using the same key at the same time.

What are the benefits of EIGRP authentication at the interface level?

Fast convergence, incremental updates, and support for many network layer protocols are all advantages of EIGRP. To prevent malicious and inaccurate routing information from being entered into a router's routing table, EIGRP only supports Message Digest 5 (MD5) authentication.

It's critical to keep in mind that this is merely an authentication scheme. The routing update packets are not encrypted by the routers as they travel over the network. They simply use MD5 to authenticate these packets.

This stops anyone from inserting routes into your network, either mistakenly or maliciously. This is very handy in situations where you don't have control over all of the routers.

EIGRP Authentication Configuration

I used the GNS3 tool to demonstrate EIGRP Authentication to prevent false or malicious updates from unauthorized neighbors.

Configuration Commands:

R2(config)#interface f0/1

R2(config-if)#ip address 10.1.1.1 255.255.255.0

R2(config-if)#no shut

R2(config-if)#exit

R3(config)#interface f0/1

R3(config-if)#ip address 10.1.1.2 255.255.255.0

R3(config-if)#no shut

R3(config-if)#exit

Forming Neighborship:

R2(config-router)#router eigrp 10

R2(config-router)#network 10.1.1.0 0.0.0.255

R2(config-router)#exit

R3(config-router)#router eigrp 10

R3(config-router)#network 10.1.1.0 0.0.0.255

R3(config-router)#exit

Apply Authentication on both neighbors:

R2(config)#key chain EIGRPKEY

R2(config-keychain)# key 2

R2(config-keychain-key)# key-string CISCO

R2(config)#interface f0/1

R2(config-if)#ip authentication mode eigrp 10 md5

R2(config-if)# ip authentication key-chain eigrp 10 EIGRPKEY

Verification of Keychain Settings:

R2#show key chain

Key-chain EIGRPKEY:

key 1 -- text "CISCO"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

Verification of EIGRP Authentication:

R2#show ip eigrp interfaces detail

IP-EIGRP interfaces for process 10

Xmit Queue Mean Pacing Time Multicast Pending

Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes

Fa0/1 1 0/0 70 0/1 304 0

Hello interval is 5 sec

Next xmit serial <none>

Un/reliable mcasts: 0/2 Un/reliable ucasts: 6/6

Mcast exceptions: 2 CR packets: 2 ACKs suppressed: 0

Retransmissions sent: 0 Out-of-sequence rcvd: 0

Authentication mode is md5, key-chain is "EIGRPKEY"

Use multicast

Before Authentication:

EIGRP: FastEthernet0/1: ignored packet from 10.1.1.1, opcode = 5 (authentication off or key-chain missing)

R3(config)#key chain EIGRPKEY

R3(config-keychain)# key 2

R3(config-keychain-key)# key-string CISCO

R3(config)#interface f0/1

R3(config-if)#ip authentication mode eigrp 10 md5

R3(config-if)# ip authentication key-chain eigrp 10 EIGRPKEY

After Authentication:

Verification of key-chain settings

R3#show key chain

Key-chain EIGRPKEY:

key 1 -- text "CISCO"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

Verification of EIGRP Authentication

R3#show ip eigrp interfaces detail

IP-EIGRP interfaces for process 10

Xmit Queue Mean Pacing Time Multicast Pending

Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes

Fa0/1 1 0/0 72 0/1 288 0

Hello interval is 5 sec

Next xmit serial <none>

Un/reliable mcasts: 0/3 Un/reliable ucasts: 2/13

Mcast exceptions: 3 CR packets: 3 ACKs suppressed: 0

Retransmissions sent: 6 Out-of-sequence rcvd: 0

Authentication mode is md5, key-chain is "EIGRPKEY"

Use multicast

FAQs: EIGRP Authentication

Q: How do I check the EIGRP configuration?

Ans: To see if the router recognizes EIGRP routes for any neighbors, use the show IP route eigrp command, which displays the entire IP routing table, including EIGRP routes.

Q: What exactly is the EIGRP router ID?

Ans: Each EIGRP router has a unique 32-bit router ID (RID) number that is formatted similarly to an IP address. As the router ID, EIGRP uses the highest IP address on any active loopback interface. If no loopback interface is available, the highest IP address on any active interface is used.

Q: What exactly are hello packets in EIGRP?

Ans: Hello packets are exchanged between EIGRP neighbors to facilitate neighbor discovery and recovery. If you send and receive hello packets, EIGRP will establish a neighbor relationship with the other router.

Conclusion

EIGRP authentication prevents an attacker from establishing an EIGRP neighbor relationship with your router and broadcasting incorrect routing information. To keep routing updates secure, EIGRP employs authentication. It's necessary to set up a common authentication key that's the same for both routes.

When you set up neighbor authentication on a router, it verifies the source of every routing update packet it receives. Both the sending and receiving routers must have an authenticating key and a key ID configured for EIGRP MD5 authentication. A password is sometimes used to refer to the key.