Solved: Keychain - OSPF

simoesmarco8626982 · ‎12-15-2021

Hi all,

hope to find everyone well

I was told that we could use keychains in OSPF where the routing protocol would automatically change the key from time to time and all the switches / routers (in my case 7 Catalyst Switches) would automatically update to that specific key. Like for example, I could have 10 keys and the protocol would change automatically from those 10 programmed keys.

Is this possible to do? Since I never did anything like this, is it possible for this to be explained please?

Thank you in advance

Georg Pauwen · ‎12-15-2021

Hello,

OSPFv2 cryptographic authentication lets you set different keys with the 'send lifetime' parameter, you could use e.g. an EEM script to change those keys automatically at certain intervals...is that what you are looking for ?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/iro-ospfv2-crypto-authen-xe.html

View solution in original post

Seb Rupik · ‎12-15-2021

Hi there,

Yes, it is possible to create a keychain with up to 255 keys allocated to it. Each key has a defined lifetime given as a start and end (or infinite) date. When a keys lifetime expires the key with the next valid and longest lifetime is selected. It is obviously imperative that all devices using a shared keychain for authentication are synchronised to the same NTP time source.

Key chain authentication is only supported for OSPFv2, IPSec is used for OSPFv3. Although I don't have an device to confirm, it looks like OSPFv2 support keychains was dropped in IOS-XE >= 17.x

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16-5/iro-xe-16-5-book/iro-ospfv2-crypto-authen-xe.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16-5/iro-xe-16-5-book/ip6-route-ospfv3-auth-ipsec.html

cheers,

Seb.

View solution in original post

paul driver · ‎12-16-2021

Hello
Just to add an example of ospf key chain authentication which can be added to any ospf routed interface or SVI..

The key will be sent in every ospf hello and obviously if a mismatch is seen the adjacency wont come up or if manually changed and mismatched will be torn down.

Below shows differing accept /send lifetimes which overlap so no loss of communication is incurred as keys are changing.

Example:

key chain stan
key 1
key-string 12345
accept-lifetime 00:00:00 JAN 1 2022 23:59:59 MAR 31 2022
send-lifetime 00:00:00 JAN 1 2022 23:59:59 FEB 28 2022
cryptographic-algorithm hmac-sha-512

key 2
key-string 23456
accept-lifetime 00:00:00 MAR 30 2022 23:59:59 MAY 29 2022
send-lifetime 00:00:00 FEB 28 2022 23:59:59 APRIL 30 2022
cryptographic-algorithm hmac-sha-512

key 3
key-string 34567
accept-lifetime 00:00:00 MAY 28 2022 23:59:59 AUG 31 2022
send-lifetime 00:00:00 APRIL 30 2022 23:59:59 JULY 30 2022
cryptographic-algorithm hmac-sha-512

key 4
key-string 78910
accept-lifetime 00:00:00 AUG 30 2022 23:59:59 OCT 31 2022
send-lifetime 00:00:00 JULY 30 2022 23:59:59 SEPT 31 2022
cryptographic-algorithm hmac-sha-512

key 5
key-string 11121
accept-lifetime 00:00:00 OCT 30 2022 23:59:59 DEC 31 2022
send-lifetime 00:00:00 SEPT 30 2022 23:59:59 NOV 31 2022
cryptographic-algorithm hmac-sha-512

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎12-15-2021

Hello,

OSPFv2 cryptographic authentication lets you set different keys with the 'send lifetime' parameter, you could use e.g. an EEM script to change those keys automatically at certain intervals...is that what you are looking for ?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/iro-ospfv2-crypto-authen-xe.html

Seb Rupik · ‎12-15-2021

Hi there,

Yes, it is possible to create a keychain with up to 255 keys allocated to it. Each key has a defined lifetime given as a start and end (or infinite) date. When a keys lifetime expires the key with the next valid and longest lifetime is selected. It is obviously imperative that all devices using a shared keychain for authentication are synchronised to the same NTP time source.

Key chain authentication is only supported for OSPFv2, IPSec is used for OSPFv3. Although I don't have an device to confirm, it looks like OSPFv2 support keychains was dropped in IOS-XE >= 17.x

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16-5/iro-xe-16-5-book/iro-ospfv2-crypto-authen-xe.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16-5/iro-xe-16-5-book/ip6-route-ospfv3-auth-ipsec.html

cheers,

Seb.

simoesmarco8626982 · ‎12-16-2021

Thank you very much for the replies!

I was seeing that we need to introduce the command on the interface, is it ok for this command to be introduced in the vlan instead of the physical interface?

Thank you

paul driver · ‎12-16-2021