We all know that authentication should be implemented between peers when using a routing protocol. Better still, instead of using a single static key a key-chain should be used so that they can be automatically rotated and via automation you can keep removing and adding keys to the chain to keep the endless cycle going. You may wonder what happens if you set up the key chain but don’t keep adding new keys? What happens when the last key which was in use expires?? Lets find out…
OSPFv2
!
hostname R1
!
int gi0/0
ip address 169.254.0.1 255.255.255.252
ip ospf authentication key-chain FOO
!
router ospf 1
network 169.254.0.0 0.0.0.3 area 0
!
key chain FOO
key 1
key-string 0 FOOBAR
accept-lifetime 19:30:00 Jan 23 2022 20:00:00 Jan 23 2022
send-lifetime 19:30:00 Jan 23 2022 20:00:00 Jan 23 2022
cryptographic-algorithm hmac-sha-512
!
!
hostname R2
!
int gi0/0
ip address 169.254.0.2 255.255.255.252
ip ospf authentication key-chain FOO
!
router ospf 1
network 169.254.0.0 0.0.0.3 area 0
!
key chain FOO
key 1
key-string 0 FOOBAR
accept-lifetime 19:30:00 Jan 23 2022 20:00:00 Jan 23 2022
send-lifetime 19:30:00 Jan 23 2022 20:00:00 Jan 23 2022
cryptographic-algorithm hmac-sha-512
!
From both routers we can see that cryptographic authentication has been enabled and that it is using key 1 from our key chain ‘FOO’:
R1#show ip ospf interface gi0/0 GigabitEthernet0/0 is up, line protocol is up Internet Address 169.254.0.1/30, Area 0, Attached via Network Statement Process ID 1, Router ID 169.254.0.1, Network Type BROADCAST, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 169.254.0.2, Interface address 169.254.0.2 Backup Designated router (ID) 169.254.0.1, Interface address 169.254.0.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:00 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 2 msec, maximum is 2 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 169.254.0.2 (Designated Router) Suppress hello for 0 neighbor(s) Cryptographic authentication enabled Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain FOO R1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 169.254.0.2 1 FULL/DR 00:00:33 169.254.0.2 GigabitEthernet0/0
R2#sh ip ospf interface gi0/0 GigabitEthernet0/0 is up, line protocol is up Internet Address 169.254.0.2/30, Area 0, Attached via Network Statement Process ID 1, Router ID 169.254.0.2, Network Type BROADCAST, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 169.254.0.2, Interface address 169.254.0.2 Backup Designated router (ID) 169.254.0.1, Interface address 169.254.0.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:09 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 0, maximum is 2 Last flood scan time is 0 msec, maximum is 2 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 169.254.0.1 (Backup Designated Router) Suppress hello for 0 neighbor(s) Cryptographic authentication enabled Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain FOO R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 169.254.0.1 1 FULL/BDR 00:00:36 169.254.0.1 GigabitEthernet0/0
*Jan 23 20:00:00.001: %OSPF-5-LASTKEYEXP: The last key has expired for interface GigabitEthernet0/0, packets sent using last valid key. *Jan 23 20:00:00.338: %OSPF-5-EXPIREDKEY: Packet received on interface GigabitEthernet0/0 with expired Key ID 1.
This behaviour is part of the oringal OSPF RFC 2328, specificaly under Appendix D3:
In the event that the last key associated with an interface expires, it is unacceptable to revert to an unauthenticated condition, and not advisable to disrupt routing. Therefore, the router should send a “last authentication key expiration” notification to the network manager and treat the key as having an infinite lifetime until the lifetime is extended, the key is deleted by network management, or a new key is configured.
https://datatracker.ietf.org/doc/html/rfc2328#appendix-D.3
OSPFv3
Lets take a look at the behavior of OSPFv3 using an IPv4 address-family.
!
hostname R1
!
ipv6 unicast-routing
!
interface GigabitEthernet0/0
ip address 169.254.0.1 255.255.255.252
ipv6 enable
ospfv3 1 authentication key-chain FOO
ospfv3 1 ipv4 area 0
!
key chain FOO
key 0
key-string FOOBAR
accept-lifetime 23:00:00 Jan 22 2022 23:32:00 Jan 22 2022
send-lifetime 23:00:00 Jan 22 2022 23:32:00 Jan 22 2022
cryptographic-algorithm hmac-sha-512
!
*Jan 23 21:00:00.001: %OSPFv3-5-LASTKEYEXP: The last key has expired in key-chain FOO. *Jan 23 21:00:00.849: %OSPFv3-5-INVALIDSADATA: Key chain FOO, key 0. Data not valid to authenticate tx packet on GigabitEthernet0/0 *Jan 23 21:00:38.744: %OSPFv3-5-ADJCHG: Process 1, IPv4, Nbr 169.254.0.2 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
If we take a look at a packet capture we can see that the periodic OSPF Hello packets stop being sent. This is becuase once the OSPFv3 process no longer has valid key to use it stops transmitting the packets.

After a bit of digging, this adjusted behaviour was mandated in RFC 7166, Section 3:
In the event that the last key associated with an interface expires, the network operator SHOULD be notified, and the OSPFv3 packet MUST NOT be transmitted unauthenticated.
https://datatracker.ietf.org/doc/html/rfc7166#section-3
EIGRP
!
hostname R1
!
interface GigabitEthernet0/0
ip address 169.254.0.1 255.255.255.252
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 FOO
!
router eigrp 1
network 169.254.0.0 0.0.0.3
!
R1#sh ip eigrp interfaces detail gigabitEthernet 0/0 EIGRP-IPv4 Interfaces for AS(1) Xmit Queue PeerQ Mean Pacing Time Multicast Pending Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes Gi0/0 1 0/0 0/0 6 0/0 50 0 Hello-interval is 5, Hold-time is 15 Split-horizon is enabled Next xmit serial <none> Packetized sent/expedited: 2/0 Hello's sent/expedited: 121/3 Un/reliable mcasts: 0/2 Un/reliable ucasts: 3/3 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions sent: 1 Out-of-sequence rcvd: 0 Topology-ids on interface - 0 Authentication mode is md5, key-chain is "FOO" Topologies advertised on this interface: base Topologies not advertised on this interface: R1#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(1) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 169.254.0.2 Gi0/0 10 00:02:22 6 100 0 4
Once the key lifetime expires the EIGRP adjacency is rapidly lost, reason ‘Auth failure’:
*Jan 23 21:15:03.637: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 169.254.0.2 (GigabitEthernet0/0) is down: Auth failure
We can run a debug on R1 to see what is happening:
*Jan 23 21:15:03.635: EIGRP: Gi0/0: ignored packet from 169.254.0.2, opcode = 5 (missing authentication) *Jan 23 21:15:03.635: EIGRP: Dropping peer, invalid authentication *Jan 23 21:15:03.635: EIGRP: Sending HELLO on Gi0/0 - paklen 20 *Jan 23 21:15:03.635: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 *Jan 23 21:15:03.637: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 169.254.0.2 (GigabitEthernet0/0) is down: Auth failure *Jan 23 21:15:03.637: EIGRP: Lost Peer: Total 1 (1/0/0/0/0) *Jan 23 21:15:08.192: EIGRP: Gi0/0: ignored packet from 169.254.0.2, opcode = 5 (missing authentication)
We can see that R2 is sending HELLO packets to R1 but they are ‘missing authentication’, this is because in light of the key becoming invalid EIGRP chooses to stop using it for authentication and with no keys left to use, it sends its EIGRP packets without authentication. As R1 is configured to only accept authenticated packets it drops those from R2 and the adjacency is lost. The same sequence of events is occurring in the other direction between R1 to R2.


Conclusion
In the event of a key chain having no valid keys remaining:
- OSPFv2 – Will keep transmitting and receiving packets using the expired key.
- OSPFv3 – Will stop transmitting and receiving packets using the expired key. Adjacencies will be lost.
- EIGRP – Will stop using the expired key and send packets unauthenticated whilst still expecting to recieve authenticated packets. Adjacencies will be lost.
Leave a Reply