Table of Contents
Advertisement
Authentication Methods
There are mainly two authentication methods:
Simple Password: In this method, an authentication key of up to 8 characters is included
in the packet. If this does not match what is expected, the packet is discarded. This
method provides little security, as it is possible to learn the authentication key by
watching the protocol packets.
MD5: This method uses the MD5 algorithm to create a crypto-checksum of the protocol
packet and an authentication key of up to 16 characters. The transmitted packet does not
contain the authentication key itself; instead, it contains a crypto-checksum, called the
digest. The receiving router performs a calculation using the correct authentication key
and discard the packet if the digest does not match. In addition, a sequence number is
maintained to prevent the replay of older packets. This method provides a much stronger
assurance that routing data originated from a router with a valid authentication key.
Many protocols allow the specification of two authentication keys per interface. Packets
are always sent using the primary keys, but received packets are checked with both the
primary and secondary keys before being discarded.
Authentication Keys and Key Management
An authentication key permits the generation and verification of the authentication field
in protocol packets. In many situations, the same primary and secondary keys are used on
several interfaces of a router. To make key management easier, the concept of a key-chain
was introduced. Each key-chain has an identifier and can contain up to two keys. One key
is the primary key and other is the secondary key. Outgoing packets use the primary
authentication key, but incoming packets may match either the primary or secondary
authentication key. In Configure mode, instead of specifying the key for each interface
(which can be up to 16 characters long), you can specify a key-chain identifier.
The IA supports MD5 specification of OSPF RFC 2178 which uses the MD5 algorithm and
an authentication key of up to 16 characters. Thus there are now three authentication
schemes available per interface: none, simple and RFC 2178 OSPF MD5 authentication. It
is possible to configure different authentication schemes on different interfaces.
RFC 2178 allows multiple MD5 keys per interface. Each key has two times associated with
the key:
•
A time period that the key will be generated
•
A time period that the key will be accepted
The IA only allows one MD5 key per interface. Also, there are no options provided to
specify the time period during which the key would be generated and accepted; the
specified MD5 key is always generated and accepted. Both these limitations would be
removed in a future release.
Internet Appliance User Reference Manual
Chapter 9: Routing Policy Configuration Guide
141
Advertisement
Table of Contents
