EIGRP supports the authentication of messages between EIGRP neighbours, but it is important to recognise that this information is not encrypted.
There are two ways to authenticate EIGRP messages; MD5, and more recently hmac-sha-256 (only available in named mode, as of IOS 15.1(2)S and 15.2(1)T).
hmac-sha-256 authentication can be directly configured on the interface, however in this mode it is not possible to set the time and duration the authentication will be valid for.
router eigrp ccie
!
address-family ipv4 unicast autonomous-system 100
!
af-interface FastEthernet0/0
authentication mode hmac-sha-256 7 14888D94
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
Alternatively key chains can be used to configure authentication. In the below example a key chain has been defined with the password ccie-password and configured, using the send-lifetime command, to send this password for one hour starting at 22:00 on October 6th 2018 . Similarly the password is configured, using the accept-lifetime command, to only be accepted during this same time frame.
key chain eigrp key 1 key-string ccie-password accept-lifetime 22:00:00 Oct 6 2018 23:00:00 Oct 6 2018 send-lifetime 22:00:00 Oct 6 2018 23:00:00 Oct 6 2018
The key chain can be applied to EIRGP in both named mode and classic mode. In named mode only, the key chain can be applied to all interfaces at once by configuring the af-interface default subcommand, or alternatively by specifying specific interfaces as shown below:
Named mode:
router eigrp ccie
!
address-family ipv4 unicast autonomous-system 100
!
af-interface FastEthernet0/0
authentication mode md5
authentication key-chain eigrp
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
Classic mode:
router eigrp 100 network 0.0.0.0 interface FastEthernet0/0 ip address 1.2.1.1 255.255.255.248 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 eigrp duplex auto speed auto
Seamless Password Rollover
If multiple keys are defined in the key chain, EIRGP will use the lowest key ID to sign outgoing packets. Received packets will use the key matching the key ID in the packet – if that key is still valid. Changing to a different key without impacting the neighbour adjacency can be achieved as follows:
- On both neighbours add a key with a higher ID – this will not impact the existing key, which will continue to be used.
- Reconfigure the old key with a send-lifetime in the past. This will force the router to use the new key.
- Remove the old key
In the below example two routers are configured back to back
Both routers have the following key chain configured:
key chain eigrp key 1 key-string password1 key 2 key-string password2
Debugging is switched on, and the authentication key id can be seen as 1
R1#debug eigrp packets terse (UPDATE, REQUEST, QUERY, REPLY, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP Packet debugging is on R1# *Oct 6 23:23:40.539: EIGRP: received packet with MD5 authentication, key id = 1 R1# *Oct 6 23:23:44.999: EIGRP: received packet with MD5 authentication, key id = 1 R1# *Oct 6 23:23:49.267: EIGRP: received packet with MD5 authentication, key id = 1 R1# *Oct 6 23:23:53.735: EIGRP: received packet with MD5 authentication, key id = 1
The send-lifetime is now set to the past on both routers. In the example below the send-lifetime is set to start on the 1st of Jan, 2000 for 10 seconds
key chain eigrp
key 1
key-string password1
send-lifetime 00:00:01 Jan 1 2000 duration 10
key 2
key-string password2
As can be seen below, the authentication seamlessly updates to key2. After this transition is complete the old key can be deleted.
R1# *Oct 6 23:28:58.067: EIGRP: received packet with MD5 authentication, key id = 1 R1# *Oct 6 23:29:02.971: EIGRP: received packet with MD5 authentication, key id = 2 R1# *Oct 6 23:29:07.451: EIGRP: received packet with MD5 authentication, key id = 2
References:
The Traceroute Blog 