Table Of Contents
Neighbor Router Authentication: Overview and Guidelines
You can prevent your router from receiving fraudulent route updates by configuring neighbor router authentication.
This chapter describes neighbor router authentication as part of a total security plan. It describes what neighbor router authentication is, how it works, and why you should use it to increase your overall network security.
This chapter refers to neighbor router authentication as neighbor authentication. Neighbor router authentication is also sometimes called route authentication.
In This Chapter
This chapter describes the following topics:
About Neighbor Authentication
This section contains the following subsections:
Benefits of Neighbor Authentication
When configured, neighbor authentication occurs whenever neighbor routers exchange routing updates. This authentication ensures that a router receives reliable routing information from a trusted source.
Without neighbor authentication, unauthorized or deliberately malicious routing updates could compromise the security of your network traffic. A security compromise could occur if an unfriendly party diverts or analyzes that traffic. For example, an unauthorized router could send a fictitious routing update to convince your router to send traffic to an incorrect destination. The unfriendly party could analyze the diverted traffic to learn confidential information about your organization or merely use it to disrupt your organization's ability to communicate effectively using the network.
Neighbor authentication prevents your router from receiving any such fraudulent routing updates.
Protocols That Use Neighbor Authentication
You can configure neighbor authentication for the following routing protocols:
•Border Gateway Protocol (BGP)
•Director Response Protocol (DRP) Server Agent
•Intermediate System-to-Intermediate System (IS-IS)
•IP Enhanced Interior Gateway Routing Protocol (EIGRP)
•Open Shortest Path First (OSPF)
•Routing Information Protocol (RIP) version 2
When to Configure Neighbor Authentication
You should configure any router for neighbor authentication that
•Uses any of the routing protocols previously mentioned.
•Might conceivably receive a false route update.
•Might compromise the network if it were to receive a false route update.
•Has a neighbor that is already configured for neighbor authentication.
How Neighbor Authentication Works
When you configure a router for neighbor authentication, it authenticates the source of each routing update packet that it receives. The sending router and the receiving router accomplish this by exchanging an authenticating key (sometimes called a password) that is known to both routers.
There are two types of neighbor authentication: plain text and Message Digest Algorithm Version 5 (MD5). Both types work the same way, except that MD5 sends a message digest instead of the authenticating key itself. MD5 creates a message digest by using the key and a message, but the key itself is not sent, which prevents it from being read during transmission. Plain text authentication sends the authenticating key itself over the wire.
Note You should not use plain text authentication as part of your security strategy. You should use it primary to avoid accidental changes to the routing infrastructure. You should use MD5 authentication instead.
Caution As with all keys, passwords, and other security secrets, you must closely guard authenticating keys used in neighbor authentication. This is because the security benefits of this feature rely on the confidentiality of authenticating keys. Also, when performing router management tasks via Simple Network Management Protocol (SNMP), do not ignore the risk associated with sending keys using non-encrypted SNMP.
This section includes the following subsections:
Plain Text Authentication
Each participating neighbor router must share an authenticating key. You specify this key at each router during configuration. You can specify multiple keys with some protocols (if so, you must identify each by a key number).
In general, when a router sends a routing update, the following authentication sequence occurs:
Step 1 A router sends a routing update with a key and the corresponding key number to the neighbor router. In protocols that can have only one key, the key number is always zero.
Step 2 The receiving (neighbor) router checks the received key against the same key stored in its own memory.
Step 3 If the two keys match, the receiving router accepts the routing update packet. If the two keys do not match, it rejects the routing update packet.
These protocols use plain text authentication:
•DRP Server Agent
•RIP version 2
MD5 authentication works much like plain text authentication, except that MD5 never sends the key over the wire. Instead, the router uses the MD5 algorithm to produce a message digest of the key (also called a hash). The router sends the message digest instead of the key itself, which ensures that no one can eavesdrop on the line and learn keys during transmission.
These protocols use MD5 authentication:
•RIP version 2
•IP Enhanced IGRP
Key Management (Key Chains)
You can configure key chains for these IP routing protocols:
•RIP version 2
•IP Enhanced IGRP
•DRP Server Agent
These routing protocols offer the additional function of managing keys by using key chains. When you configure a key chain, you specify a series of keys with lifetimes, and the Cisco IOS software rotates through each of these keys. This decreases the risk that keys will be compromised.
Each key definition within the key chain must specify a time interval for which that key is activated (its lifetime). Then, during a key's lifetime, routing update packets are sent with this activated key.
Keys cannot be used during time periods for which they are not activated. Therefore, you should ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore routing updates will fail.
You can specify multiple key chains.
Note that the router needs to know the time to be able to rotate through keys in synchronization with the other participating routers (so that all routers use the same key at the same moment). Refer to the Network Time Protocol (NTP) and calendar commands in the "Performing Basic System Management" chapter of the Cisco IOS Network Management Configuration Guide for information about configuring time at your router.
Finding Neighbor Authentication Configuration Information
To find complete configuration information for neighbor authentication, refer to the appropriate section and chapter listed in Table 1.
To find complete configuration information for key chains, refer to the "Managing Authentication Keys" section in the "Configuring IP Routing Protocol-Independent Features" chapter of the Cisco IOS IP Routing: Protocol-Independent Configuration Guide.
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007-2009 Cisco Systems, Inc. All rights reserved.