management applications on Cisco IOS XR software often use authentication to enhance security while
communicating with peers.
The Cisco IOS XR software system security component implements various system security features
including keychain management. Refer these documents for detailed information on keychain management
concepts, configuration tasks, examples, and command used to configure keychain management.
Tip
•
Implementing Keychain Management module in Cisco ASR 9000 Series Aggregation Services Router
System Security Configuration Guide
•
Keychain Management Commands module in Cisco ASR 9000 Series Aggregation Services Router
System Security Command Reference
The keychain by itself has no relevance; therefore, it must be used by an application that needs to
communicate by using the keys (for authentication) with its peers. The keychain provides a secure
mechanism to handle the keys and rollover based on the lifetime. The Cisco IOS XR keychain infrastructure
takes care of the hit-less rollover of the secret keys in the keychain.
Note
Once you have configured a keychain in the IOS XR keychain database and if the same has been configured
on a particular RIP interface, it will be used for authenticating all incoming and outgoing RIP traffic on that
interface. Unless an authentication keychain is configured on a RIP interface (on the default VRF or a
non-default VRF), all RIP traffic will be assumed to be authentic and authentication mechanisms for in-bound
RIP traffic and out-bound RIP traffic will be not be employed to secure it.
RIP employs two modes of authentication: keyed message digest mode and clear text mode. Use the
authentication keychain keychain-name mode {md5 | text} command to configure authentication using the
keychain mechanism.
In cases where a keychain has been configured on RIP interface but the keychain is actually not configured
in the keychain database or keychain is not configured with MD5 cryptographic algorithm, all incoming RIP
packets on the interface will be dropped. Outgoing packets will be sent without any authentication data.
In-bound RIP Traffic on an Interface
These are the verification criteria for all in-bound RIP packets on a RIP interface when the interface is
configured with a keychain.
Then...If...
The packet is dropped. A RIP component-level debug
message is be logged to provide the specific details
of the authentication failure.
The keychain configured on the RIP interface does
not exist in the keychain database...
The packet is dropped. A RIP component-level debug
message is be logged to provide the specific details
of the authentication failure.
The keychain is not configured with a MD5
cryptographic algorithm...
The packet will be dropped. A RIP component-level
debug message is be logged to provide the specific
details of the authentication failure.
The Address Family Identifier of the first (and only
the first) entry in the message is not 0xFFFF, then
authentication is not in use...
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.1.x
448 OL-30423-03
Implementing RIP
Authentication Using Keychain in RIP
To Next Page
Loading...
Need help?
General
