Welcome to another lesson in the Practical OSPF series. In this lesson, we will explore the concepts of key rotation and keychains in OSPF authentication.
Contents
Understanding Key Rotation
In our previous lessons, we discussed simple password-based authentication and hash-based authentication for OSPF. However, one limitation of using a single key for authentication is the risk of bringing down the adjacency when changing keys. Key rotation provides a solution to this problem.
Key rotation allows us to change the keys on two routers with an active neighbor adjacency without disrupting the connection. By configuring multiple keys with different IDs on a single interface, the router can accept a neighbor adjacency with anyone presenting either key. Once the adjacency is verified to be using the newer key, the old key can be safely removed from the configuration.
Let’s take a closer look at how key rotation is implemented. Here’s an example command to configure a password for hash-based authentication on an interface:
ip ospf message-digest-key key-id algorithm passwordBy configuring multiple keys with different key IDs, the router can accept the adjacency with either key. Once the adjacency is established and verified using the newer key, you can remove the old key from the configuration.
Exploring Keychains and HMAC-SHA
While MD5 is commonly used for hash-based authentication, it is known to be less secure since 2011. To enhance the security of authentication, OSPF provides the option to use HMAC-SHA keys. However, using HMAC-SHA keys requires a new configuration construct known as keychains.
Keychains are a way to configure multiple authentication keys within OSPF. They provide more flexibility and security when compared to using a single key. Each key within a keychain can be assigned a key ID, cryptographic algorithm, and key string.
To configure a keychain, use the following command:
keychain keychain-name
key key-id
algorithm algorithm
key-string key-stringThe keystring is the authentication password, and the algorithm specifies the cryptographic algorithm to be used. For HMAC-SHA keys, you can choose between different digest lengths (e.g., SHA-1, SHA-256, SHA-384, SHA-512).
Key Rotation Using Keychains
Key rotation can also be implemented using keychains. In this case, key rotation is based on date-based key lifetimes. Each key in the keychain can be configured with a send lifetime and an accept lifetime.
The send lifetime determines how long the router sends packets authenticated with a particular key, while the accept lifetime specifies how long the router accepts incoming packets from neighbors using that key. By configuring overlapping lifetimes, key rotation can occur smoothly without disrupting the adjacency.
To demonstrate date-based key rotation, let’s consider an example. We configure a keychain called “rotation_demo” with four keys, each corresponding to a quarter of the year. Each key has a specific send and accept lifetime.
Despite the complexity of date-based key rotation, it is often more convenient to use cryptographic hash-based authentication with simultaneous key changes. This involves copying and pasting the new key onto both routers simultaneously or using automation to coordinate the password changes within a maintenance window.
Conclusion
In this lesson, we explored key rotation and keychains in OSPF authentication. Key rotation allows for secure key changes on active neighbor adjacencies, while keychains provide a more flexible and secure way to configure multiple authentication keys. By using HMAC-SHA keys and date-based key rotation, the security and efficiency of OSPF authentication can be enhanced.
Remember to stay connected with the Techal brand for more informative and insightful content. If you have any questions or want to learn more about OSPF, feel free to leave a comment below. Stay tuned for the next lesson in the Practical OSPF series!
