EIGRP Authentication

dredlord

I am reading the ROUTE FLG. There is a example for MD5 Authentication with regards to EIGRP routing. I am a bit confused with the example which is as follows.

key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2009 infinite
send-lifetime 04:00:00 Jan 1 2009 infinite
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 25 2009 infinite
send-lifetime 04:00:00 Jan 25 2009 infinite

Since key 1 is configured to be accepted from the start time onwards even when Key 2 is used to send packets, wouldn't this be a security issue should someone acquire the Key and Key ID, and since no effective end time has been set for sending of Key 1 wouldn't that defeat the purpose of multiple keys in the key chain?

Eildor

dredlord wrote: »

I am reading the ROUTE FLG. There is a example for MD5 Authentication with regards to EIGRP routing. I am a bit confused with the example which is as follows.

key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2009 infinite
send-lifetime 04:00:00 Jan 1 2009 infinite
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 25 2009 infinite
send-lifetime 04:00:00 Jan 25 2009 infinite

Since key 1 is configured to be accepted from the start time onwards even when Key 2 is used to send packets, wouldn't this be a security issue should someone acquire the Key and Key ID, and since no effective end time has been set for sending of Key 1 wouldn't that defeat the purpose of multiple keys in the key chain?

I'm not a CCNP, so unless someone else verifies what I've said and says it's ok don't listen to me!

My understanding is that the lowest valid key is used, which in this case is key 1. In order for key 2 to be used for authentication key 1 must be removed, this is because key 1 will never be invalid as its send/receive is set to infinite.