EIGRP Authentication
I am reading the ROUTE FLG. There is a example for MD5 Authentication with regards to EIGRP routing. I am a bit confused with the example which is as follows.
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2009 infinite
send-lifetime 04:00:00 Jan 1 2009 infinite
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 25 2009 infinite
send-lifetime 04:00:00 Jan 25 2009 infinite
Since key 1 is configured to be accepted from the start time onwards even when Key 2 is used to send packets, wouldn't this be a security issue should someone acquire the Key and Key ID, and since no effective end time has been set for sending of Key 1 wouldn't that defeat the purpose of multiple keys in the key chain?
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2009 infinite
send-lifetime 04:00:00 Jan 1 2009 infinite
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 25 2009 infinite
send-lifetime 04:00:00 Jan 25 2009 infinite
Since key 1 is configured to be accepted from the start time onwards even when Key 2 is used to send packets, wouldn't this be a security issue should someone acquire the Key and Key ID, and since no effective end time has been set for sending of Key 1 wouldn't that defeat the purpose of multiple keys in the key chain?
Comments
-
Eildor
Member Posts: 444
I am reading the ROUTE FLG. There is a example for MD5 Authentication with regards to EIGRP routing. I am a bit confused with the example which is as follows.
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2009 infinite
send-lifetime 04:00:00 Jan 1 2009 infinite
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 25 2009 infinite
send-lifetime 04:00:00 Jan 25 2009 infinite
Since key 1 is configured to be accepted from the start time onwards even when Key 2 is used to send packets, wouldn't this be a security issue should someone acquire the Key and Key ID, and since no effective end time has been set for sending of Key 1 wouldn't that defeat the purpose of multiple keys in the key chain?
I'm not a CCNP, so unless someone else verifies what I've said and says it's ok don't listen to me!
My understanding is that the lowest valid key is used, which in this case is key 1. In order for key 2 to be used for authentication key 1 must be removed, this is because key 1 will never be invalid as its send/receive is set to infinite. -
bermovick
Member Posts: 1,135 ■■■■□□□□□□
That's really a bad example, just because it doesn't really show how multiple keys interact. In this example key 2 is completely useless as EIGRP will only send the first valid key (key 1).Latest Completed: CISSP
Current goal: Dunno -
Netwurk
Member Posts: 1,155 ■■■■■□□□□□
Here's part of my key config from my 2691 router
accept-lifetime 18:00:00 Oct 1 2011 20:00:00 Jan 1 2012
send-lifetime 18:00:00 Oct 1 2011 20:00:00 Jan 1 2012
It's the last key in my chain so I need to make some new ones as obviously it is expired. Cool that you posted this thread to remind me.
Anyhow, the example from the FLG shows you a quick way to make 2 keys. I'm sure if you read on you'll learn about how to modify your config to make it useful. -
dredlord
Member Posts: 172
Thanks for the feedback, yes it does explain further I was just baffled that such a example was in the book