12-15-2021 10:33 AM
Hi all,
hope to find everyone well
I was told that we could use keychains in OSPF where the routing protocol would automatically change the key from time to time and all the switches / routers (in my case 7 Catalyst Switches) would automatically update to that specific key. Like for example, I could have 10 keys and the protocol would change automatically from those 10 programmed keys.
Is this possible to do? Since I never did anything like this, is it possible for this to be explained please?
Thank you in advance
Solved! Go to Solution.
12-15-2021 12:54 PM
Hello,
OSPFv2 cryptographic authentication lets you set different keys with the 'send lifetime' parameter, you could use e.g. an EEM script to change those keys automatically at certain intervals...is that what you are looking for ?
12-15-2021 12:54 PM
Hi there,
Yes, it is possible to create a keychain with up to 255 keys allocated to it. Each key has a defined lifetime given as a start and end (or infinite) date. When a keys lifetime expires the key with the next valid and longest lifetime is selected. It is obviously imperative that all devices using a shared keychain for authentication are synchronised to the same NTP time source.
Key chain authentication is only supported for OSPFv2, IPSec is used for OSPFv3. Although I don't have an device to confirm, it looks like OSPFv2 support keychains was dropped in IOS-XE >= 17.x
cheers,
Seb.
12-16-2021 06:24 AM
Hello
Just to add an example of ospf key chain authentication which can be added to any ospf routed interface or SVI..
The key will be sent in every ospf hello and obviously if a mismatch is seen the adjacency wont come up or if manually changed and mismatched will be torn down.
Below shows differing accept /send lifetimes which overlap so no loss of communication is incurred as keys are changing.
Example:
key chain stan
key 1
key-string 12345
accept-lifetime 00:00:00 JAN 1 2022 23:59:59 MAR 31 2022
send-lifetime 00:00:00 JAN 1 2022 23:59:59 FEB 28 2022
cryptographic-algorithm hmac-sha-512
key 2
key-string 23456
accept-lifetime 00:00:00 MAR 30 2022 23:59:59 MAY 29 2022
send-lifetime 00:00:00 FEB 28 2022 23:59:59 APRIL 30 2022
cryptographic-algorithm hmac-sha-512
key 3
key-string 34567
accept-lifetime 00:00:00 MAY 28 2022 23:59:59 AUG 31 2022
send-lifetime 00:00:00 APRIL 30 2022 23:59:59 JULY 30 2022
cryptographic-algorithm hmac-sha-512
key 4
key-string 78910
accept-lifetime 00:00:00 AUG 30 2022 23:59:59 OCT 31 2022
send-lifetime 00:00:00 JULY 30 2022 23:59:59 SEPT 31 2022
cryptographic-algorithm hmac-sha-512
key 5
key-string 11121
accept-lifetime 00:00:00 OCT 30 2022 23:59:59 DEC 31 2022
send-lifetime 00:00:00 SEPT 30 2022 23:59:59 NOV 31 2022
cryptographic-algorithm hmac-sha-512
12-15-2021 12:54 PM
Hello,
OSPFv2 cryptographic authentication lets you set different keys with the 'send lifetime' parameter, you could use e.g. an EEM script to change those keys automatically at certain intervals...is that what you are looking for ?
12-15-2021 12:54 PM
Hi there,
Yes, it is possible to create a keychain with up to 255 keys allocated to it. Each key has a defined lifetime given as a start and end (or infinite) date. When a keys lifetime expires the key with the next valid and longest lifetime is selected. It is obviously imperative that all devices using a shared keychain for authentication are synchronised to the same NTP time source.
Key chain authentication is only supported for OSPFv2, IPSec is used for OSPFv3. Although I don't have an device to confirm, it looks like OSPFv2 support keychains was dropped in IOS-XE >= 17.x
cheers,
Seb.
12-16-2021 02:14 AM
Thank you very much for the replies!
I was seeing that we need to introduce the command on the interface, is it ok for this command to be introduced in the vlan instead of the physical interface?
Thank you
12-16-2021 06:24 AM
Hello
Just to add an example of ospf key chain authentication which can be added to any ospf routed interface or SVI..
The key will be sent in every ospf hello and obviously if a mismatch is seen the adjacency wont come up or if manually changed and mismatched will be torn down.
Below shows differing accept /send lifetimes which overlap so no loss of communication is incurred as keys are changing.
Example:
key chain stan
key 1
key-string 12345
accept-lifetime 00:00:00 JAN 1 2022 23:59:59 MAR 31 2022
send-lifetime 00:00:00 JAN 1 2022 23:59:59 FEB 28 2022
cryptographic-algorithm hmac-sha-512
key 2
key-string 23456
accept-lifetime 00:00:00 MAR 30 2022 23:59:59 MAY 29 2022
send-lifetime 00:00:00 FEB 28 2022 23:59:59 APRIL 30 2022
cryptographic-algorithm hmac-sha-512
key 3
key-string 34567
accept-lifetime 00:00:00 MAY 28 2022 23:59:59 AUG 31 2022
send-lifetime 00:00:00 APRIL 30 2022 23:59:59 JULY 30 2022
cryptographic-algorithm hmac-sha-512
key 4
key-string 78910
accept-lifetime 00:00:00 AUG 30 2022 23:59:59 OCT 31 2022
send-lifetime 00:00:00 JULY 30 2022 23:59:59 SEPT 31 2022
cryptographic-algorithm hmac-sha-512
key 5
key-string 11121
accept-lifetime 00:00:00 OCT 30 2022 23:59:59 DEC 31 2022
send-lifetime 00:00:00 SEPT 30 2022 23:59:59 NOV 31 2022
cryptographic-algorithm hmac-sha-512
12-16-2021 07:09 AM
hank you very much Paul and thank you for the examples
I was just trying this, the issue is, that I'm applying this in a production environment, and I hope everything will go smoothly...
Thank you all for all the help
12-16-2021 07:14 AM
Hello
Beaware when you apply this on the interface the ospf adjacency will drop until it’s applied both sides
12-16-2021 07:19 AM - edited 12-16-2021 07:19 AM
Applied a few moments ago the chain but gave validity of the key to 30 minutes in the future and I'm waiting now for the key to start being valid...
Was expecting that while the key was not valid the OSPF would continue to run but this doesn't happen and the authentication is automatically activated with a Key 0 and authentication unknown and the link went off... Now I'm waiting for the configured time to arrive for the key to become valid and see everything starts working once again... Newbie mistake
Thank you for the help Paul
03-17-2022 09:45 AM
Hi Paul,
I was just looking at this subject again and was doing some test instead of using a lifetime key.
I followed the example but just to confirm, is this correct? The system will be always available when the keys change? Just wanted to have confirmation please
key chain Test
key 1
key-string asdasda
accept-lifetime local 15:30:00 Dec 16 2021 10:00:00 Jun 13 2022
send-lifetime local 15:30:00 Dec 16 2021 10:00:00 May 13 2022
cryptographic-algorithm hmac-sha-256
key 2
key-string asdads
accept-lifetime local 10:00:00 Jun 12 2022 10:00:00 Dec 12 2022
send-lifetime local 09:59:59 May 13 2022 10:00:00 Nov 12 2022
cryptographic-algorithm hmac-sha-256
key 3
key-string asdasd
accept-lifetime local 10:00:00 Dec 11 2022 10:00:00 Jun 13 2023
send-lifetime local 09:59:59 Nov 12 2022 10:00:00 May 13 2023
cryptographic-algorithm hmac-sha-256
Key 4
key-string fasfaas
accept-lifetime local 10:00:00 Jun 12 2023 10:00:00 Dec 12 2023
send-lifetime local 09:59:59 May 13 2023 10:00:00 Nov 12 2023
cryptographic-algorithm hmac-sha-256
Key 5
key-string asdas
accept-lifetime local 10:00:00 Dec 11 2023 10:00:00 Jun 13 2024
send-lifetime local 09:59:59 Nov 12 2023 10:00:00 May 13 2024
cryptographic-algorithm hmac-sha-256
Key 6
key-string sadas
accept-lifetime local 10:00:00 Jun 12 2024 10:00:00 Dec 12 2024
send-lifetime local 09:59:59 May 13 2024 10:00:00 Nov 12 2024
cryptographic-algorithm hmac-sha-256
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide