MD5 Authentication with Multiple Keys
This example illustrates the MD5 authentication of the routing information exchange process for RIP using multiple keys. Routers R1 and R2 are running RIP, and exchanging routing updates. To configure authentication on R1, define a key chain, specify keys in the key chain, then define the authentication string or passwords to use by the keys. Then, set the time period during which it is valid to receive or send the authentication key by specifying the accept and send lifetimes. After defining the key string, specify the key chain (or the set of keys) that will be used for authentication on the interface, and the authentication mode to use. Configure R2 and R3 to have the same key ID and key string as R1 for the time that updates are to be exchanged.
In MD5 authentication, both the key ID and key string are matched for authentication. R1 will receive only packets that match both the key ID and the key string in the specified key chain (within the accept lifetime) on that interface. In the following example, R2 has the same key ID and key string as R1. For additional security, the accept lifetime and send lifetime are configured such that every fifth day, the key ID and key string changes. To maintain continuity, the accept lifetimes should be configured to overlap; however, the send lifetime should not overlap.
Topology
Figure 2-7: MD5 Multiple-key Topology
R1
#configure terminal | Enter configure mode. |
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 | Associate network 10.10.10.0/24 with the RIP process. |
(config-router)#redistribute connected | Enable redistributing from connected routes. |
(config-router)#exit | Exit router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#key chain SUN | Enter Keychain management mode to add keys to the key chain SUN. |
(config-keychain)#key 1 | Add authentication key ID (1) to the key chain SUN. |
(config-keychain-key)#key-string ABC | Specify a password (ABC) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 2 2003 14:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be received. In this case, key string ABC can be received from noon of March 2 to 2 pm March 7, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 2 2003 12:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be sent. In this case, key string ABC can be sent from noon of March 2 to noon of March 7, 2003. |
(config-keychain-key)#exit | Exit Keychain-Key mode, and return to Keychain mode. |
(config-keychain)#commit | Commit the candidate configuration to the running configuration |
(config-keychain)#key 2 | Add another authentication key (2) to the key chain SUN. |
(config-keychain-key)#key-string Earth | Specify a password (Earth) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 7 2003 14:00:00 Mar 12 2003 | Specify the time period during which authentication key string Earth can be received. In this case, key string Earth can be received from noon of March 7 to 2 pm March 12, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 7 2003 12:00:00 Mar 12 2003 | Specify the time period during which the authentication key can be sent. In this case, key string Earth can be sent from noon of March 7 to noon of March 12, 2003. |
(config-keychain-key)#commit | Commit the candidate configuration to the running configuration |
(config-keychain-key)#end | Enter Privileged Exec mode. |
#configure terminal | Enter configure mode. |
(config)#interface eth1 | Specify interface eth1 as the interface you want to configure. |
(config-if)#ip rip authentication key chain SUN | Enable RIPv2 authentication on the eth1 interface, and specify the key chain SUN to use for authentication. |
(config-if)#ip rip authentication mode md5 | Specify MD5 authentication mode to use for RIP packets. |
(config-if)#exit | Exit interface mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
R2
#configure terminal | Enter configure mode. |
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 | Associate network 10.10.10.0/24 with the RIP process. |
(config-router)#redistribute connected | Enable redistributing from connected routes. |
(config-router)#exit | Exit router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#key chain MOON | Enter Keychain management mode to add keys to the key chain MOON. |
(config-keychain)#key 1 | Add authentication key ID (1) to the key chain MOON. |
(config-keychain-key)#key-string ABC | Specify a password (ABC) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 2 2003 14:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be received. In this case, key string ABC can be received from noon of March 2 to 2 pm March 7, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 2 2003 12:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be sent. In this case, key string ABC can be sent from noon of March 2 to noon of March 7, 2003. |
(config-keychain-key)#exit | Exit Keychain-Key mode, and return to Keychain mode. |
(config-keychain)#commit | Commit the candidate configuration to the running configuration |
(config-keychain)#key 2 | Add another authentication key (2) to the key chain MOON. |
(config-keychain-key)#key-string Earth | Specify a password (Earth) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 7 2003 14:00:00 Mar 12 2003 | Specify the time period during which the authentication key can be received. In this case, key string Earth can be received from noon of March 7 to 2 pm March 12, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 7 2003 12:00:00 Mar 12 2003 | Specify the time period during which the authentication key can be sent. In this case, key string Earth can be sent from noon of March 7 to noon of March 12, 2003. |
(config-keychain-key)#commit | Commit the candidate configuration to the running configuration |
(config-keychain-key)#end | Enter Privileged Exec mode. |
#configure terminal | Enter configure mode. |
(config)#interface eth2 | Specify interface eth2 as the interface you want to configure. |
(config-if)#ip rip authentication key chain MOON | Enable RIPv2 authentication on the eth1 interface, and specify the key chain MOON to use for authentication. |
(config-if)#ip rip authentication mode md5 | Specify the authentication mode to use for RIP packets. |
(config-if)#exit | Exit interface mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
Validation
show running-config, show ip rip, show ip protocol rip, show ip rip interface
R1
#sh running-config
!
no service password-encryption
!
hostname rtr1
!
logging monitor 7
!
ip vrf management
!
key chain SUN
key 1
key-string 0x5c5b790e25d29287
accept-lifetime 12:00:00 Mar 02 2003 14:00:00 Mar 07 2003
send-lifetime 12:00:00 Mar 02 2003 12:00:00 Mar 07 2003
key 2
key-string 0x51b2c401dd313187
accept-lifetime 12:00:00 Mar 07 2003 14:00:00 Mar 12 2003
send-lifetime 12:00:00 Mar 07 2003 12:00:00 Mar 12 2003
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.1/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.92/24
!
interface eth1
ip address 10.10.10.10/24
ip rip authentication mode md5
ip rip authentication key-chain chain SUN
!
interface eth2
!
router rip
network 10.10.10.0/24
redistribute connected
!
line con 0
login
line vty 0 39
login
!
end
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth1
C 10.12.4.0/24 1 eth0
C 192.168.0.1/32 1 lo
#show ip protocol rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 19 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth1 2 2 chain SUN
Routing for Networks:
10.10.10.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Number of routes (including connected): 3
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is down, line protocol is down
RIP is not enabled on this interface
eth1 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.10/24
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
R2
#sh running-config
!
no service password-encryption
!
logging monitor 7
!
ip vrf management
!
key chain MOON
key 1
key-string 0x5c5b790e25d29287
accept-lifetime 12:00:00 Mar 02 2003 14:00:00 Mar 07 2003
send-lifetime 12:00:00 Mar 02 2003 12:00:00 Mar 07 2003
key 2
key-string 0x51b2c401dd313187
accept-lifetime 12:00:00 Mar 07 2003 14:00:00 Mar 12 2003
send-lifetime 12:00:00 Mar 07 2003 12:00:00 Mar 12 2003
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.2/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.108/24
!
interface eth1
!
interface eth2
ip address 10.10.10.50/24
ip rip authentication mode md5
ip rip authentication key-chain chain MOON
!
router rip
network 10.10.10.0/24
redistribute connected
!
line con 0
login
line vty 0 39
login
!
end
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth2
C 10.12.4.0/24 1 eth0
R 192.168.0.1/32 10.10.10.10 16 10.10.10.10 eth2 01:29
C 192.168.0.2/32 1 lo
#show ip protocol rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 9 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth2 2 2 chain MOON
Routing for Networks:
10.10.10.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Number of routes (including connected): 4
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.50/24
eth1 is down, line protocol is down
RIP is not enabled on this interface
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
Last modified date: 07-13-2023