Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
20
Helpful
9
Replies

Is Time Synchronization Required for MD5 EIGRP Auth other than for Key Lifetimes?

Go to solution
James Hand
Level 1
Level 1

‎11-10-2015 03:40 PM - last edited on ‎03-25-2019 03:45 PM by Community Manager

Some documents (e.g. "EIGRP Message Authentication configuration Example", http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/82110-eigrp-authentication.html) seem to indicate time synchronization is generally needed for EIGRP MD5 Authentication to work.

Other documents (e.g the "Configuring EIGRP" chapter from the document "IP Routing EIGRP Configuration Guide Cisco IOS Release 12.2SY" http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/12-2sy/eigrp-12-2sy-book/ire-cfg-eigrp.html) seem to indicate that it's needed primarily to manage key lifetimes.

Note that at least some releases on ASA's don't support key chains or key lifetimes.  If that's the environment you're in, do you need need time synchronization for EIGRP adjacencies to work?  Or to turn it around a little bit, to pose it as a technical detail question, rather than a larger design question, what would the impact be on MD5-authenticated EIGRP adjacencies if NTP time synchronization were to fail on one or both routers, assuming the use of infinite key lifetimes and/or devices that did not use key chains?

Wireshark traces don't show any evidence of timestamps being sent in MD5-authenticated EIGRP packets.  And in GNS3 simulations, MD5-authenticated adjacencies appear to come up and stay up even when the time on the peers has been set to be years apart.

Many thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Masoud Pourshabanian

‎11-11-2015 09:51 AM

Hi Masoud,

Specifically for EIGRP, these rules apply:

  • For signing outgoing EIGRP packets, select the key with the lowest key number whose send-lifetime is still valid. Having no send-lifetime configured is equivalent to having a key whose send-lifetime is always valid. As a result, if no key in a key-chain has its send-lifetime configured, simply the key with the lowest number will be used to sign an outbound EIGRP packet. The particular key number that was used to sign this particular packet will be inserted into the packet. If there is no valid key for sending in the key chain, the packet will not be digitally signed.
  • For verifying incoming EIGRP packets, look up the key with the key number that was indicated in the received packet in the key chain. If no key with such number exists, or if that key's accept-lifetime has expired, the authentication fails automatically. Otherwise, the MD5 checksum is calculated based on the received packet contents and the key and is compared with the MD5 checksum received in the packet. If they match, the authentication succeeds, otherwise it fails.

Feel welcome to ask further!

Best regards,
Peter

View solution in original post

9 Replies 9

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎11-10-2015 08:53 PM

Hello,

Time synchronization is not needed if just one MD5 key used. If you use a keychain for MD5-authentication, you need to activate NTP for time synchronization. The reason is, routers must use a same key within the keychain for authentication at a specific time.

https://books.google.com/books?id=f5KssgEfd1IC&pg=PA146&lpg=PA146&dq=eigrp+time+synchronization&source=bl&ots=8NlVdLDKaz&sig=HQMYefXyWj7hNde0uF944ltghNo&hl=en&sa=X&ved=0CDkQ6AEwBGoVChMIt7XN_8aHyQIVAkwmCh2pigqN#v=onepage&q=eigrp%20time%20synchronization&f=false

Hope it helps,

Masoud

0 Helpful

Go to solution
James Hand
Level 1
Level 1
In response to Masoud Pourshabanian

‎11-11-2015 02:53 AM

Many thanks for you help, Massoud.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎11-11-2015 08:35 AM

James,

To add to Masoud's very good answer, it is indeed true that for common protocols such as EIGRP, the MD5 serves only to verify the integrity and authenticity of the message but it is not related to the sender's or receiver's local time. The particular time value is not fed into the MD5 computation.

The time comes into play if the particular key (even a single one) is configured in the key chain with accept-lifetime or send-lifetime commands that limit its usable duration for either purpose. Even then, however, the time is only used to determine whether the key is usable at all, but once it is deemed usable, the time is again irrelevant.

Best regards,
Peter

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Peter Paluch

‎11-11-2015 08:59 AM

Thanks Peter for you point.

If accept-lifetime or send-lifetime are not configured, how a router determines which key in the keychain must be used? It is not based on the time? One router may use a key and other router may use another key in the chain  causing failure in authentication. It is not true?

Thanks

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Masoud Pourshabanian

‎11-11-2015 09:51 AM

Hi Masoud,

Specifically for EIGRP, these rules apply:

  • For signing outgoing EIGRP packets, select the key with the lowest key number whose send-lifetime is still valid. Having no send-lifetime configured is equivalent to having a key whose send-lifetime is always valid. As a result, if no key in a key-chain has its send-lifetime configured, simply the key with the lowest number will be used to sign an outbound EIGRP packet. The particular key number that was used to sign this particular packet will be inserted into the packet. If there is no valid key for sending in the key chain, the packet will not be digitally signed.
  • For verifying incoming EIGRP packets, look up the key with the key number that was indicated in the received packet in the key chain. If no key with such number exists, or if that key's accept-lifetime has expired, the authentication fails automatically. Otherwise, the MD5 checksum is calculated based on the received packet contents and the key and is compared with the MD5 checksum received in the packet. If they match, the authentication succeeds, otherwise it fails.

Feel welcome to ask further!

Best regards,
Peter

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Peter Paluch

‎11-11-2015 09:58 AM

Thanks for your complete answer.

Masoud

0 Helpful

Go to solution
James Hand
Level 1
Level 1
In response to Peter Paluch

‎11-12-2015 06:19 AM

Thanks all.

FWIW, I took at look at the EIGRP Internet Draft to see if I could find something definitive there.  The Authentication TLV and MD5 (as well as SHA-2) authentication are described, but the description appears to be incorrect.  It doesn't mention the Key ID, nor does it describe what data the MD5 hash is calculated over.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to James Hand

‎11-15-2015 03:02 PM

James,

The EIGRP draft is currently incomplete on the topic of authentication - it basically does not tell at all how the authentication is being done step-by-step. The next draft revision will include the details about authentication as well.

Best regards,
Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card