Solved: eigrp authentication key chain.

sarahr202 · ‎12-14-2012

Hi everybody.

Please consider the following example:

R1-------------------------R2

R1:

key 1 lee1

key 2 lee2

My book says when R1 receives a eigrp packet, it will try the lowest valid key first to authenticate the packet.

I put this cliam to test as follows:

R1--------------------------R2

R1

key chain lee

key 1 lee1

key 2 lee2

R2:

key chain lee

key 2 lee2.

R2 sends a hello packet to R1 using key 2.

Based on the book R1 should use the key 1 ( lee1) to authenticate the eigrp packet received from R2 and as a result authentication should fail.

But I noticed the key need to be used by receiving router is determined by key id field in the received eigrp packet. In my example, R2 sends hello to R1 using key 2. R1 receives the hello and sees the key id 2. R1 then knows which key it should use to authenticate the hello packet rather the lowest valid key as the book erroneously claims.

2nd observation:

R1 just receives the hello packet . This hello packet has key id 2. R1 authenticates the hello packet using key 2 successfully. Now h1 has to send hello to R2. R1 uses the lowest valid key which is in our case key 1 even though R1 knows that R2 is using key 2. When R2 receives this hello packet, it rejects the packet because it does not have key 1 to authenticate the packet.

Is my observation correct ?

Thanks and have a great weekend.

Raju Sekharan · ‎12-14-2012

Hi

Both your observations are correct.

1. When you receive an eigrp packet with key id 2, receiver router will try to authenticate using the same key id 2

2. loweset valid key id sent, when the local router originates eigrp hello packets. Considering the received hello packet key id is not the right step because you can have multiple neighbors on that local router using same key chain and each of them can send you hellos with different key Ids

Thanks

Raju

View solution in original post

Raju Sekharan · ‎12-14-2012

Hi

Both your observations are correct.

1. When you receive an eigrp packet with key id 2, receiver router will try to authenticate using the same key id 2

2. loweset valid key id sent, when the local router originates eigrp hello packets. Considering the received hello packet key id is not the right step because you can have multiple neighbors on that local router using same key chain and each of them can send you hellos with different key Ids

Thanks

Raju

sarahr202 · ‎12-14-2012

loweset valid key id sent, when the local router originates eigrp hello packets. Considering the received hello packet key id is not the right step because you can have multiple neighbors on that local router using same key chain and each of them can send you hellos with different key Ids

Yes if the receiving router has the valid key as specified by key id, receiving router can authenticate the eigrp packet.

It also means we can have two different keys on two routers.for sending and receiving eigrp packets.

For example R1 can sent eigrp packets by lowest valid key 2, as long as the the receiving router has the valid key as specified by key id which in our example is key 2, receiving router R2 can authenticate the eigrpmessages.

Similarly R2 router can sent the packet with its lowest valid key 3, and as long as R1 has the valid key as specified by key id which is key 3, R1 can authenticate the eigrp packets.

Thanks Raju and have a great weekend.

Raju Sekharan · ‎12-14-2012

yes. That is right

Wish you too a great weekend

Thanks

Raju