This article continues with one of the best technical deployments of IOS XR router; yes, this time we will learn how to secure neighbor relationship so that our XR routers will form only authenticated adjacency with its neighbor routers. This article will also explore the basic behavior of establishing authorized neighbor relationship with the best of security hash functions like MD5, SHA (secure hash algorithm) based authentication on EIGRP, OSPF, and BGP so that you will be able to deal with IOS XR based routing authentication with a very straightforward approach. This article assumes that you have some basic access level knowledge of Cisco IOS XR (if not, then you can take the reference from my previous posts on IOS XR).

CCNA Training – Resources (Intense)

We have already discussed the neighbor relationship developments for various routing protocols on IOS XR platform, so this time we will define the secure neighbor establishment on the following topology as shown in Fig. 1:

Note: Following set of commands is preconfigured on both routers:

Router xr1:

Sat APR 11 08:21:24.212 UTC
Building configuration...
!! IOS XR Configuration 5.1.1
!! Last configuration change at Wed APR 08 16:21:44 2015 by nitin
!
hostname xr1 
cdp
!
interface MgmtEth0/0/CPU0/0
 cdp
 ipv4 address 12.1.1.1 255.255.255.252
!
End

Router xr2:

Sat APR 11 08:42:11.022 UTC
Building configuration...
!! IOS XR Configuration 5.1.1
!! Last configuration change at Wed APR 08 17:12:32 2015 by nitin
!
hostname xr2 
cdp
!
interface MgmtEth0/0/CPU0/0
 cdp
 ipv4 address 12.1.1.2 255.255.255.252
!
End

Let’s begin with EIGRP neighbor authentication on Cisco IOS XR platform.

To establish EIGRP neighbor authentication, we have to follow the same IOS-based approach, which means first we have to design a key chain and then apply it to its respective neighbors. EIGRP authentication is supported on all IOS-XR releases since 3.8.0; many times engineers say “EIGRP authentication is not supported on IOS XR platform,” and the reason for saying this is incomplete configuration. To establish proper authentication between EIGRP neighbors, a key chain must be configured with required cryptographic-algorithm and accept/send-lifetime along with valid key string, key-id.

Step 1: Create key chain (do not forget to configure cryptographic-algorithm and accept/ send-lifetime).

(config)# key chain 
(config-keychain)# key 
(config-keychain-key-id)# key-string 
(config- keychain-key-id)# cryptographic-algorithm  //** refer figure 2 below for more supported algorithms
(config- keychain-key-id)# accept-lifetime     
(config- keychain-key-id)# send-lifetime       
(config- keychain-key-id)# exit

Fig. 2 displays all supported cryptographic algorithms for EIGRP Authentication.

Step 2: Apply key chain to EIGRP routing process.

(config)# router eigrp 
(config -eigrp)# address-family     /* to enable IPv4 or IPv6 address-family
(config -eigrp-af)# interface    /* to enable interface under EIGRP routing
(config-eigrp-af-if)# authentication keychain   /* to configure authentication on this interface
(config -eigrp-af-if)# exit

Objective: Establish secure EIGRP neighbor relationship (refer to Fig.1): EIGRP process 10 is configured between router xr1 and xr2. Router xr1 must establish secure MD5 neighbor relation with router xr2 using following parameters:

  • key chain name should be “infosec”
  • key-id must be “1”
  • Key-string must be “intenseschool”
  • Cryptographic-algorithm “MD5”

Before applying authentication under EIGRP, all required commands must be preconfigured for establishing EIGRP neighbor relationship between router xr1 and xr2. You can take the reference to establish EIGRP neighbor relationship from my previously published article “Routing Fundamentals with IOS XR.

Following set of commands will be used to configure EIGRP neighbor authentication on both routers xr1 and xr2 to fulfill objective’s need (here I am using my local time to verify connectivity).

Router xr1 and xr2:

(config)# key chain infosec
(config-infosec)# key 1
(config-infosec-1)# key-string intenseschool
(config-infosec-1)# cryptographic-algorithm md5
(config-infosec-1))# accept-lifetime 10:16:00 12 April 2015 infinite 
(config-infosec-1)# send-lifetime 10:16:00 12 April 2015 infinite
(config-infosec-1)# exit

(config)# router eigrp 10
(config -eigrp)# address-family ipv4
(config -eigrp-af)# interface MgmtEth0/0/CPU0/0
(config -eigrp-af-if)# authentication keychain infosec
(config -eigrp-af-if)# exit
(config)#commit  /* do not forget to commit

After configuring above commands you will see the same output as shown in Fig. 3 below:

So, apart from cryptographic-algorithms, applying EIGRP authentication is almost same with different configuration syntaxes. Now let’s learn OSPF authentication techniques.

Securing OSPF Adjacencies: As we already know, OSPF supports three types of authentication to establish secure neighbor relationships;

  • NULL
  • Plain Text
  • MD5

You can refer our previously published IOS-based articles to learn the more technical aspects of OPSF routing protocol. So let’s start to examine all three OSPF authentication techniques.

Syntax to configure OSPF null authentication

(config)# router ospf      /* OSPF process id is locally significant
(config-ospf)# area 
(config-ospf-ar)# authentication  null  
(config-ospf-ar)#interface

Syntax to configure OSPF plain text authentication

(config)# router ospf      /* OSPF process id is locally significant
(config-ospf)# area 
(config-ospf-ar)# authentication    
(config-ospf-ar)#interface  
(config-ospf-ar-if)# authentication-key

Syntax to configure OSPF MD5 authentication

(config)# router ospf      /* OSPF process id is locally significant
(config-ospf)# area 
(config-ospf-ar)# authentication message-digest
(config-ospf-ar)# interface  
(config-ospf-ar-if)# message-digest-key  md5

In IOS XR, OPSF also supports key-chain-based MD5 authentication. To apply key-chain-based MD5 authentication in OSPF, you can use the following syntax:

Syntax to configure OSPF MD5 key-chain-based authentication

(config)# router ospf      /* OSPF process id is locally significant
(config-ospf)# authentication message-digest keychain

Objective: Establish secure OSPF neighbor relationship between router xr1 and xr2 (refer Fig.1): OSPF process 1 with area-id 0 is configured between routers xr1 and xr2. Router xr1 must establish secure OSPF adjacency with it neighbor router xr2 using MD5 security mechanism with key-string “intenseschool” to maintain its network reliability.

As we already discussed in previous articles, IOS XR does not support the traditional “network” command to establish IGP neighbor-ship or to advertise networks, so first you will have to enable required interfaces to form OSPF adjacency and network advertisement as per the given topology (as shown in Fig. 1). You can enable OSPF on interfaces under an area only, which means first you will have to define an area id under routing process then under OSPF area prompt “(config-ospf-ar)#” you will have to define respective interfaces.

The following set of commands can be used to fulfill the objective’s need:

Router xr1 and xr2:

(config)# router ospf 1
(config-ospf)# area 0
(config-ospf-ar)# authentication message-digest
(config-ospf-ar)# interface MgmtEth0/0/CPU0/0
(config-ospf-ar)# message-digest-key 1 md5 intenceschoolintenseschool
(config-ospf-ar)# root       /* back to config mode
(config)# commit                 /* to save above configuration to running-config

I am sure you will see the same output, as it is showing an established OSPF neighbor in Fig. 4 below:

OSPF also supports process level authentication, which can be applied using plain text and MD5 mechanism; the following Fig. 5 shows the OSPF prompt output result to perform OSPF process level authentication.

BGP Neighbor Authentication: Now let’s learn “how to secure BGP Neighbor relationships,” which is very important as respect to establish authorized neighbor-ships in exterior domains. BGP neighbor authentication can be applied to both iBGP, eBGP peers, and set of commands are also same for both neighbor types. To configure neighbor authentication in BGP, we have to use same command line execution which we used in EIGRP, which means first we have to design a key chain and then apply it to respective neighbor.

Syntax to configure BGP Neighbor Authentication:

Step 1: Create key chain

key chain 
key 
key-string 
cryptographic-algorithm

Step 2: Apply key chain to its neighbor

(config)# router bgp 
(config-bgp)#neighbor     
(config-bgp-nbr)# remote-as <>
(config-bgp-nbr)#keychain

Objective: Establish BGP Neighbor Authentication (refer fig 1):Router xr1 and xr2 are iBGP peers. Router xr1 must establish a secure neighbor relationship with router xr2 with following parameters only;

  • key chain name should be “infosec”
  • key-id must be “99”
  • Key-string must be “intenseschool”
  • Cryptographic-algorithm “MD5”

Before applying neighbor authentication in BGP, all required configuration for BGP neighbor establishment must be done on routers xr1 and xr2. You can take the reference to establish BGP neighbor relationship from my previously published article “Routing Fundamentals with IOS XR part II.

The following set of commands will be applied on router xr1 & xr2 to achieve the objective’s need:

Router xr1 and xr2:\

(config)# key chain infosec
(config-infosec)# key 99
(config-infosec-99)# key-string intenseschool
(config-infosec-99)# cryptographic-algorithm md5
(config-infosec-99)# exit
(config)# router bgp 10
(config-bgp)# neighbor 
(config-bgp-nbr)# remote-as 
(config –bgp-nbr)# keychain infosec
(config)#commit

Fig. 6 displays the output result of “show bgp ipv4 unicast summary” command on router xr1, and you can see an entry of BGP peer 12.1.1.2 (established).

I hope you are enjoying IOS XR command references and becoming more comfortable with every article publication and I will continue my IOS XR journey with some more technical specifications but I also want to read your feedbacks and your Intenseschool.com experience at comment section.

And don’t forget to spread the link of this article on your Facebook, Twitter & LinkedIn so that maximum of people can get this exclusive piece of information. Keep reading @ Intenseschool.com and you can join our Facebook group, http://www.facebook.com/intenseschool, to get updates on new posts.

References

Apart from my work experience and knowledge, the following sources helped me a lot to design this exclusive content.