So it's been awhile since my last post, and while I could just blame work, really I hit a bit of a dry spell. Then I saw a topic show up on CLN that sparked my imagination. The topic was simple enough, which authentication method is better (specifically for EIGRP) MD5 or SHA? Now I can feel your twitchy fingers from here. You want to comment in all caps, bold letters "SHA IS BETTER!!!!" Calm down. Deep breathes. I felt the exact same way, until I read the question a little more thoroughly. Well, while the short answer is yes 'SHA is better than MD5', however you can't use rotating keys (yet) with SHA. Yeah, SHA1 is 160-bit hash vs. MD5's 128-bit (EIGRP named mode actually supports sha256). And let's not forget, even with just SHA1, there's no example of a successful collision attack that I'm aware of.
So, definitely SHA is better right? If you want to use rotating keys with a keyring, as of this post you still need to use MD5. Bummer. This got me thinking though, why can't we do better than sha256. In a non-realistic, totally lab only scenario, how could we make EIGRP traffic basically bulletproof?
Don't read beyond this line, test your creative problem solving skills. If required by a task (real world or lab), how would you improve EIGRP security beyond sha256?
Before I go into how I tackled this hypothetical task, let me first say... there are a few different ways you could interpret that objective, and even more ways you could attempt to solve it. Seeing as I wrote the task, the way I interpret it is 'We need better encryption, and a higher degree of data integrity than what sha256 alone can provide.' Which is totally insane, I mean... protecting EIGRP traffic is important, but c'mon. Even still, this is what I came up with. IKEv2/IPsec to secure only EIGRP traffic. Think about the options you have here. Not only do we have the option of a secure hash with up to sha512, but we also can leverage PFS AND encrypt eigrp datagrams. Let's take a look at some config:
All Routers
crypto ikev2 proposal 100
encryption aes-cbc-256
integrity sha512
group 21
crypto ikev2 policy policy100
match fvrf any
proposal 100
crypto ikev2 keyring EIGRP_RING
peer EIGRP_PEERS
address 10.0.123.0 255.255.255.0
pre-shared-key cisco123
!
crypto ikev2 profile profile100
match fvrf any
match identity remote address 10.0.123.0 255.255.255.0
authentication local pre-share
authentication remote pre-share
keyring local EIGRP_RING
crypto ipsec transform-set ESP-AES256 esp-aes 256 esp-sha512-hmac
mode transport
R1
ip access-list extended EIGRP_R2
permit eigrp host 10.0.123.1 host 10.0.123.2
ip access-list extended EIGRP_R3
permit eigrp host 10.0.123.1 host 10.0.123.3
!
crypto map EIGRP 1 ipsec-isakmp
set peer 10.0.123.2
set transform-set ESP-AES256
set pfs group21
set ikev2-profile profile100
match address EIGRP_R2
!
crypto map EIGRP 2 ipsec-isakmp
set peer 10.0.123.3
set transform-set ESP-AES256
set pfs group21
set ikev2-profile profile100
match address EIGRP_R3
!
interface GigabitEthernet2
ip address 10.0.123.1 255.255.255.0
negotiation auto
crypto map EIGRP
R2
ip access-list extended EIGRP_R1
permit eigrp host 10.0.123.2 host 10.0.123.1
ip access-list extended EIGRP_R3
permit eigrp host 10.0.123.2 host 10.0.123.3
!
crypto map EIGRP 1 ipsec-isakmp
set peer 10.0.123.1
set transform-set ESP-AES256
set pfs group21
set ikev2-profile profile100
match address EIGRP_R1
crypto map EIGRP 2 ipsec-isakmp
set peer 10.0.123.3
set transform-set ESP-AES256
set pfs group21
set ikev2-profile profile100
match address EIGRP_R3
!
interface GigabitEthernet2
ip address 10.0.123.2 255.255.255.0
negotiation auto
crypto map EIGRP
R3
ip access-list extended EIGRP_R1
permit eigrp host 10.0.123.3 host 10.0.123.1
ip access-list extended EIGRP_R2
permit eigrp host 10.0.123.3 host 10.0.123.2
!
crypto map EIGRP 1 ipsec-isakmp
set peer 10.0.123.1
set transform-set ESP-AES256
set pfs group21
set ikev2-profile profile100
match address EIGRP_R1
crypto map EIGRP 2 ipsec-isakmp
set peer 10.0.123.2
set transform-set ESP-AES256
set pfs group21
set ikev2-profile profile100
match address EIGRP_R2
!
interface GigabitEthernet2
ip address 10.0.123.3 255.255.255.0
negotiation auto
crypto map EIGRP
So that's your basic IKEv2 IPsec configuration, using EIGRP as the only interesting traffic. The next thing we're going to need to make this happen is static EIGRP neighbors. I'm still tinkering around, trying to figure out how to make this a little more graceful (GETVPN would at least help with the crypto maps). For now, let's just add the following:
router eigrp IPSEC
!
address-family ipv4 unicast autonomous-system 47884
!
topology base
exit-af-topology
neighbor 10.0.123.1 GigabitEthernet2
neighbor 10.0.123.2 GigabitEthernet2
neighbor 10.0.123.3 GigabitEthernet2
network 10.0.0.0
exit-address-family
Now finally, some verification. I should note, loopback interfaces are 10.x.x.x where 'x' is the router number.
R1#show ip eigrp neighbors
EIGRP-IPv4 VR(IPSEC) Address-Family Neighbors for AS(47884)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.123.2 Gi2 14 07:57:58 5 100 0 14
1 10.0.123.3 Gi2 10 21:16:19 5 100 0 11
R1#show ip route eigrp | b ^Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D 10.2.2.2/32 [90/10880] via 10.0.123.2, 07:58:37, GigabitEthernet2
D 10.3.3.3/32 [90/10880] via 10.0.123.3, 21:16:59, GigabitEthernet2
R1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
3 10.0.123.1/500 10.0.123.3/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/76592 sec
Tunnel-id Local Remote fvrf/ivrf Status
2 10.0.123.1/500 10.0.123.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/76641 sec
R1#show crypto ipsec sa | i remote|encap
remote ident (addr/mask/prot/port): (10.0.123.3/255.255.255.255/88/0)
#pkts encaps: 16566, #pkts encrypt: 16566, #pkts digest: 16566
local crypto endpt.: 10.0.123.1, remote crypto endpt.: 10.0.123.3
remote ident (addr/mask/prot/port): (10.0.123.2/255.255.255.255/88/0)
#pkts encaps: 16579, #pkts encrypt: 16579, #pkts digest: 16579
local crypto endpt.: 10.0.123.1, remote crypto endpt.: 10.0.123.2
So that's it gang! A different, albeit impractical, approach to securing your routing process. I'll probably do a short video on this configuration (if for no other reason than to demo a quick IKEv2 configuration). I'll update this post with that video when I do.
