Securing the routing information prevents an attacker from introducing false routing information into the network, which could be used as part of a Denial of Service (DoS) or Man-in-the-Middle (MiTM) attack. This can be mitigated in part by using password authentication with routing protocols between routers. Cisco router/switches support plaintext, MD5 and SHA authentication with RIP, EIGRP, OSPF and BGP routing protocols.
Plaintext authentication is used when devices are unable to support MD5 or SHA for authentication, which is unlikely on modern hardware. Using plaintext passwords makes the routers vulnerable if the packets are captured and the password can be read. MD5 (message digest) authentication provides higher security than plaintext authentication, when you use MD5 hash capabilities to the authentication process, routing updates no longer contain cleartext passwords, and the entire contents of the routing update is more resistant to tampering. However, MD5 authentication is still susceptible to brute force and dictionary attacks if weak passwords are chosen. SHA authentication is more secure than MD5 (and plaintext) authentication.
MD5 and SHA use a hash value computed from the contents of the packet (EIGRP, OSPF and RIP) and the defined password. The hash is sent with the packet, along with a key ID and sequence number. If the receiver has the same password, the hash values should match. The key ID allows the routers to reference multiple passwords, allowing for migration or switching passwords easier. Passwords must be the same between neighbours, but do not have to be the same through the OSPF area.
This post covers configuring RIP, OSPF, EIGRP and BGP authentication on Cisco IOS-XE routers/switches.
OSPF
Cisco IOS-XE routers supports both plaintext and cryptographic authentication using MD5 or SHA.
Plaintext Authentication
Plaintext authentication can be enabled per interface or globally in the OSPF process.
On one router OSPF authentication key is configured on the interface and OSPF authentication is enabled globally within the OSPF process.
interface GigabitEthernet0/0 ip address 192.168.251.2 255.255.255.252 ip ospf authentication-key Cisco1234 ip ospf network point-to-point ip ospf 1 area 0 ! router ospf 1 area 0 authentication
On the other router the OSPF key and OSPF authentication is explictly enabled on the interface
interface GigabitEthernet0/1 ip address 192.168.251.1 255.255.255.252 ip ospf authentication ip ospf authentication-key Cisco1234 ip ospf network point-to-point ip ospf 1 area 0
MD5 Cryptographic Authentication
MD5 authentication can be configured two-ways, the example below demonstrates both ways to use MD5 authentication. You can use either MD5 authentication method, they work together, the only setting that must match is the password. Message-digest authentication and the message-digest key are explictly configured under the interface, as per the example below.
interface GigabitEthernet0/0 ip address 192.168.251.2 255.255.255.252 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 Cisco1234 ip ospf network point-to-point ip ospf 1 area 0
Instead of enabling MD5 authentication under the interface using ip ospf authentication message-digest you can also enable message-digest under the area.
router ospf 1 area 0 authentication message-digest
The second method uses a key chain which is configured globally, this defines the lifetime, key-string and crypto algorithm. Authentication is then enabled under the interface referencing the MD5 key chain.
key chain OSPF-MD5 key 1 key-string Cisco1234 send-lifetime 00:00:00 Jan 1 2023 infinite cryptographic-algorithm md5 ! interface GigabitEthernet0/1 ip address 192.168.251.1 255.255.255.252 ip ospf authentication key-chain OSPF-MD5 ip ospf network point-to-point ip ospf 1 area 0
You can confirm OSPF authentication configuration, run the command show ip ospf interface <ifname>. The output differs depending on how MD5 authentication was configured. The output below is from the router configured with message-digest under the interface.
The output below is from the router configured with a key-chain, and confirms cryptographic authentication is enabled and the key chain in use (OSPF-MD5).
SHA Cryptographic Authentication
SHA Cryptographic authentication uses a key chain enabled on the OSPF interface. The key chain contains a list of keys, a key string (password), lifetime and the required cryptographic algorithm including SHA1, SHA256, SHA384 and SHA512.
The key chain is configured globally, defining the lifetime, key-string and algorithm.
key chain OSPF key 1 key-string Cisco1234 send-lifetime 00:00:00 Jan 1 2023 infinite cryptographic-algorithm hmac-sha-256
Cryptographic authentication is enabled under the interface, referencing the configured key-chain.
interface GigabitEthernet0/0 ip address 192.168.251.2 255.255.255.252 ip ospf authentication key-chain OSPF ip ospf network point-to-point ip ospf 1 area 0
You can confirm OSPF authentication configuration, run the command show ip ospf interface <ifname>. The output below confirms cryptographic authentication is enabled and confirms the key chain in use.
EIGRP
EIGRP supports MD5 or SHA-256 authentication, plaintext authentication is not supported.
MD5 Cryptographic Authentication
MD5 authentication can be enabled using the traditional EIGRP mode under the interface and EIGRP configuration mode or using EIGRP named mode.
Traditional Mode
A key chain is defined, specifying the key-string (password), lifetime and crypto algorithm (MD5).
key chain EIGRP-MD5 key 1 key-string Cisco1234 send-lifetime 00:00:00 Jan 1 2023 infinite cryptographic-algorithm md5
EIGRP traditional mode AS configuration.
router eigrp 1 network 192.168.251.0
MD5 authentication is enabled under the interface and the key-chain is referenced.
interface GigabitEthernet0/1 ip address 192.168.251.1 255.255.255.252 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 EIGRP-MD5 end
Named Mode
In named mode the same key chain can be used as in EIGRP traditional mode.
key chain EIGRP-MD5 key 1 key-string Cisco1234 send-lifetime 00:00:00 Jan 1 2023 infinite cryptographic-algorithm md5
MD5 authentication and the key-chain is referenced under the Named Mode on the specific interface.
router eigrp EIGRP ! address-family ipv4 unicast autonomous-system 1 ! af-interface GigabitEthernet0/0 authentication mode md5 authentication key-chain EIGRP-MD5 exit-af-interface ! topology base exit-af-topology network 192.168.251.0 exit-address-family
SHA Cryptographic Authentication
With EIGRP a key chain is only required for MD5 authentication, SHA authentication must be configured under the af-interface with the command authentication mode hmac-sha-256 <Password>
router eigrp EIGRP ! address-family ipv4 unicast autonomous-system 1 ! af-interface GigabitEthernet0/0 authentication mode hmac-sha-256 Cisco1234 exit-af-interface ! topology base exit-af-topology network 192.168.251.0 exit-address-family
Verification
You can verify EIGRP authentication, run the command debug eigrp packet. From the outputs below we can confirm MD5 and SHA256 authentication is enabled.
R9#debug eigrp packet *Dec 2 15:04:44.816: EIGRP: Sending HELLO on NV0 - paklen 20 *Dec 2 15:04:44.817: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 *Dec 2 15:04:44.989: EIGRP: received packet with MD5 authentication, key id = 1 *Dec 2 15:04:44.990: EIGRP: Received HELLO on Gi0/0 - paklen 60 nbr 192.168.251.1 R9#debug eigrp packets EIGRP Packet debugging is on *Dec 3 14:44:33.793: EIGRP: Sending HELLO on Gi0/0 - paklen 76 *Dec 3 14:44:33.794: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 *Dec 3 14:44:34.140: EIGRP: Sending HELLO on NV0 - paklen 20 *Dec 3 14:44:34.140: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 *Dec 3 14:44:34.898: EIGRP: received packet with HMAC-SHA-256 authentication
BGP
MD5 authentication using the command neighbor <peer ip address> password <Password> is configured between BGP peers, SHA is not supported.
router bgp 65000 bgp log-neighbor-changes neighbor 192.168.250.2 remote-as 65001 neighbor 192.168.250.2 password Cisco1234
With external BGP peering to an ISP the device is open to attacks from the internet. An attacker could send a large number of TCP SYN packets to a BGP router to overwhelm the BGP process and CPU. To secure BGP from CPU exhaustion attacks you can use the TTL Security feature, this limits the number of hops for a BGP packet using the command neighbor <peer address> ttl-security hops <maximum hop count>
router bgp 65001 neighbor 192.168.250.1 remote-as 65000 neighbor 192.168.250.1 password Cisco1234 neighbor 192.168.250.1 ttl-security hops 2
RIP
RIP supports plaintext and MD5 authentication and is configured the same as traditional EIGRP using a key-chain and enabling authentication under the interface.
key chain RIP-MD5 key 1 key-string Cisco1234 send-lifetime 00:00:00 Jan 1 2023 infinite cryptographic-algorithm md5 ! interface GigabitEthernet0/1 ip address 192.168.251.1 255.255.255.252 ip rip authentication mode md5 ip rip authentication key-chain RIP-MD5 ! router rip version 2 network 192.168.251.0 neighbor 192.168.251.1 no auto-summary
If the MD5 authentication key-string is incorrect or not configured the debugs (using the command debug ip rip) will reveal the problem.
*Dec 3 16:12:53.611: RIP: received packet with MD5 authentication *Dec 3 16:12:53.611: RIP: ignored v2 packet from 192.168.251.2 (invalid authentication) If MD5 authentication is working the logs will confirm updates received. *Dec 3 16:16:40.010: RIP: received packet with MD5 authentication *Dec 3 16:16:40.010: RIP: received v2 update from 192.168.251.2 on GigabitEthernet0/1 *Dec 3 16:16:40.011: 10.10.0.0/24 via 0.0.0.0 in 1 hops *Dec 3 16:16:40.012: 10.10.1.0/24 via 0.0.0.0 in 1 hops *Dec 3 16:16:40.012: 10.10.2.0/24 via 0.0.0.0 in 1 hops