Expired authentication keys

We all know that authentication should be implemented between peers when using a routing protocol. Better still, instead of using a single static key a key-chain should be used so that they can be automatically rotated and via automation you can keep removing and adding keys to the chain to keep the endless cycle going. You may wonder what happens if you set up the key chain but don’t keep adding new keys? What happens when the last key which was in use expires?? Lets find out…

OSPFv2

!
hostname R1
!
int gi0/0
 ip address 169.254.0.1 255.255.255.252
 ip ospf authentication key-chain FOO
!
router ospf 1
 network 169.254.0.0 0.0.0.3 area 0
!
key chain FOO
 key 1
  key-string 0 FOOBAR
  accept-lifetime 19:30:00 Jan 23 2022 20:00:00 Jan 23 2022
  send-lifetime 19:30:00 Jan 23 2022 20:00:00 Jan 23 2022
  cryptographic-algorithm hmac-sha-512
!
!
hostname R2
!
int gi0/0
 ip address 169.254.0.2 255.255.255.252
 ip ospf authentication key-chain FOO
!
router ospf 1
 network 169.254.0.0 0.0.0.3 area 0
!
key chain FOO
 key 1
  key-string 0 FOOBAR
  accept-lifetime 19:30:00 Jan 23 2022 20:00:00 Jan 23 2022
  send-lifetime 19:30:00 Jan 23 2022 20:00:00 Jan 23 2022
  cryptographic-algorithm hmac-sha-512
!

From both routers we can see that cryptographic authentication has been enabled and that it is using key 1 from our key chain ‘FOO’:

R1#show ip ospf interface gi0/0
GigabitEthernet0/0 is up, line protocol is up 
  Internet Address 169.254.0.1/30, Area 0, Attached via Network Statement
  Process ID 1, Router ID 169.254.0.1, Network Type BROADCAST, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State BDR, Priority 1
  Designated Router (ID) 169.254.0.2, Interface address 169.254.0.2
  Backup Designated router (ID) 169.254.0.1, Interface address 169.254.0.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:00
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 2 msec, maximum is 2 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 169.254.0.2  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain FOO
R1#sh ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
169.254.0.2       1   FULL/DR         00:00:33    169.254.0.2     GigabitEthernet0/0
R2#sh ip ospf interface gi0/0
GigabitEthernet0/0 is up, line protocol is up 
  Internet Address 169.254.0.2/30, Area 0, Attached via Network Statement
  Process ID 1, Router ID 169.254.0.2, Network Type BROADCAST, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 169.254.0.2, Interface address 169.254.0.2
  Backup Designated router (ID) 169.254.0.1, Interface address 169.254.0.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:09
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 2
  Last flood scan time is 0 msec, maximum is 2 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 169.254.0.1  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-512 - key chain FOO
R2#sh ip ospf neighbor       

Neighbor ID     Pri   State           Dead Time   Address         Interface
169.254.0.1       1   FULL/BDR        00:00:36    169.254.0.1     GigabitEthernet0/0
*Jan 23 20:00:00.001: %OSPF-5-LASTKEYEXP: The last key has expired for interface GigabitEthernet0/0, packets sent using last valid key.
*Jan 23 20:00:00.338: %OSPF-5-EXPIREDKEY: Packet received on interface GigabitEthernet0/0 with expired Key ID 1.

This behaviour is part of the oringal OSPF RFC 2328, specificaly under Appendix D3:

In the event that the last key associated with an interface expires, it is unacceptable to revert to an unauthenticated condition, and not advisable to disrupt routing. Therefore, the router should send a “last authentication key expiration” notification to the network manager and treat the key as having an infinite lifetime until the lifetime is extended, the key is deleted by network management, or a new key is configured.

https://datatracker.ietf.org/doc/html/rfc2328#appendix-D.3

OSPFv3

Lets take a look at the behavior of OSPFv3 using an IPv4 address-family.

!
hostname R1
!
ipv6 unicast-routing
!
interface GigabitEthernet0/0
 ip address 169.254.0.1 255.255.255.252
 ipv6 enable
 ospfv3 1 authentication key-chain FOO
 ospfv3 1 ipv4 area 0
!
key chain FOO
 key 0
  key-string FOOBAR
  accept-lifetime 23:00:00 Jan 22 2022 23:32:00 Jan 22 2022
  send-lifetime 23:00:00 Jan 22 2022 23:32:00 Jan 22 2022
  cryptographic-algorithm hmac-sha-512
!
*Jan 23 21:00:00.001: %OSPFv3-5-LASTKEYEXP: The last key has expired in key-chain FOO.
*Jan 23 21:00:00.849: %OSPFv3-5-INVALIDSADATA: Key chain FOO, key 0. Data not valid to authenticate tx packet on GigabitEthernet0/0
*Jan 23 21:00:38.744: %OSPFv3-5-ADJCHG: Process 1, IPv4, Nbr 169.254.0.2 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

If we take a look at a packet capture we can see that the periodic OSPF Hello packets stop being sent. This is becuase once the OSPFv3 process no longer has valid key to use it stops transmitting the packets.

After a bit of digging, this adjusted behaviour was mandated in RFC 7166, Section 3:

In the event that the last key associated with an interface expires, the network operator SHOULD be notified, and the OSPFv3 packet MUST NOT be transmitted unauthenticated.

https://datatracker.ietf.org/doc/html/rfc7166#section-3

EIGRP

!
hostname R1
!
interface GigabitEthernet0/0
 ip address 169.254.0.1 255.255.255.252
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 FOO
!
router eigrp 1
 network 169.254.0.0 0.0.0.3
!
R1#sh ip eigrp interfaces detail gigabitEthernet 0/0
EIGRP-IPv4 Interfaces for AS(1)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Gi0/0                    1        0/0       0/0           6       0/0           50           0
  Hello-interval is 5, Hold-time is 15
  Split-horizon is enabled
  Next xmit serial <none>
  Packetized sent/expedited: 2/0
  Hello's sent/expedited: 121/3
  Un/reliable mcasts: 0/2  Un/reliable ucasts: 3/3
  Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
  Retransmissions sent: 1  Out-of-sequence rcvd: 0
  Topology-ids on interface - 0 
  Authentication mode is md5,  key-chain is "FOO"
  Topologies advertised on this interface:  base
  Topologies not advertised on this interface:
R1#sh ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   169.254.0.2             Gi0/0                    10 00:02:22    6   100  0  4

Once the key lifetime expires the EIGRP adjacency is rapidly lost, reason ‘Auth failure’:

*Jan 23 21:15:03.637: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 169.254.0.2 (GigabitEthernet0/0) is down: Auth failure

We can run a debug on R1 to see what is happening:

*Jan 23 21:15:03.635: EIGRP: Gi0/0: ignored packet from 169.254.0.2, opcode = 5 (missing authentication)
*Jan 23 21:15:03.635: EIGRP: Dropping peer, invalid authentication
*Jan 23 21:15:03.635: EIGRP: Sending HELLO on Gi0/0 - paklen 20
*Jan 23 21:15:03.635:   AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Jan 23 21:15:03.637: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 169.254.0.2 (GigabitEthernet0/0) is down: Auth failure
*Jan 23 21:15:03.637: EIGRP: Lost Peer: Total 1 (1/0/0/0/0)
*Jan 23 21:15:08.192: EIGRP: Gi0/0: ignored packet from 169.254.0.2, opcode = 5 (missing authentication)

We can see that R2 is sending HELLO packets to R1 but they are ‘missing authentication’, this is because in light of the key becoming invalid EIGRP chooses to stop using it for authentication and with no keys left to use, it sends its EIGRP packets without authentication. As R1 is configured to only accept authenticated packets it drops those from R2 and the adjacency is lost. The same sequence of events is occurring in the other direction between R1 to R2.

Whilst the key chain is valid the EIGRP packets contains the MD5 authentication
Once the key chain becomes invalid the EIGRP process begins sending unauthenticated packets

Conclusion

In the event of a key chain having no valid keys remaining:

  • OSPFv2 – Will keep transmitting and receiving packets using the expired key.
  • OSPFv3 – Will stop transmitting and receiving packets using the expired key. Adjacencies will be lost.
  • EIGRP – Will stop using the expired key and send packets unauthenticated whilst still expecting to recieve authenticated packets. Adjacencies will be lost.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: