keychain vs key string?

Adam Tyler

Hello ITPro.. Wondering if someone can explain to me the difference between a keychain vs a key-string in the Cisco world? I am a bit confused. I am working with the NX OS platform and it looks like you have quite a few options for authenticating OSPF or HSRP for example...

Here are some OSPF options for authentication from the CLI:

WILNXLAB-02(config-if)# ip ospf ?
  authentication       Authentication on the interface
  authentication-key   Configure the authentication key for the interface
  message-digest-key   Message digest authentication password (key)

WILNXLAB-02(config-if)# ip ospf authentication?
  authentication      Authentication on the interface
  authentication-key  Configure the authentication key for the interface

WILNXLAB-02(config-if)# ip ospf authentication-key ?
  0     Specifies an UNENCRYPTED authentication key will follow
  3     Specifies an 3DES ENCRYPTED authentication key will follow
  7     Specifies a Cisco type 7  ENCRYPTED authentication key will follow
  LINE  The UNENCRYPTED (cleartext) authentication key

WILNXLAB-02(config-if)# ip ospf message-digest-key ?
  <0-255>  Key ID

For HSRP you have a bunch of options too:

WILNXLAB-02(config-if-hsrp)# ?
  authentication  Authentication
 
WILNXLAB-02(config-if-hsrp)# authentication ?
  WORD  Plain text authentication string (Max Size 8)
  md5   Use MD5 authentication
  text  Plain text authentication

WILNXLAB-02(config-if-hsrp)# authentication md5 ?
  key-chain   Set key chain
  key-string  Set key string

WILNXLAB-02(config-if-hsrp)# authentication md5 key-chain
  WORD  Name of key-chain (Max Size 250)

What is all of this? What is the difference between a keychain and a key-string? If I specify a message-digest-key "1" for an interface to negotiate OSPF, should I not use "1" again? Is there a show that deep dives into this I can watch?

Regards,
Adam Tyler

Ronnie Wong

@Adam-Tyler said in keychain vs key string?:

What is all of this? What is the difference between a keychain and a key-string? If I specify a message-digest-key "1" for an interface to negotiate OSPF, should I not use "1" again? Is there a show that deep dives into this I can watch?

I believe we go over this in the CCNA show (maybe), CCNA Security show and CCNP ROUTE...

But here's a summary
Think of the key-chain as being the container or "set" of keys.
Think of the key-string as the individual "key" can can be used.

Routing authentication relies on a key on keychain to function. Before authentication can be used, a keychain with one one key (minimally) must be created. It's a hierarchy, that allows the association of multiple key-strings to a single key-chain. You set a time send and receive time for each key-string. This is useful if the connection is over a public network so that security keys are changed on a regular basis. Though you can set a single key, this is only good in a testing environment, in a production environment you want the keys to change. This has to be manually done if you only setup one key.

Setting up multiple keys allows routers to to use a single key for a period of time. Then the routers use two keys for a limited period of overlapping time, then use the next key only in key-chain for a period of time, while the first key expired.

e.g.
create what needs to be used for authentication. I created a key-chain and 2 key-

R1#configure terminal
R1(config)#key chain MYCHAIN
R1(config-keychain)#key 1
R1(config-keychain-key)#?
Key-chain key configuration commands:
  accept-lifetime          Set accept lifetime of key
  cryptographic-algorithm  Set cryptographic authentication algorithm
  default                  Set a command to its defaults
  exit                     Exit from key-chain key configuration mode
  key-string               Set key string
  no                       Negate a command or set its defaults
  send-lifetime            Set send lifetime of key
R1(config-keychain-key)#key-string securetraffic1
R1(config-keychain-key)#accept-lifetime 00:00:00 1 April 2019 00:00:00 15 May 2019
R1(config-keychain-key)#send-lifetime 00:00:00 1 April 2019 00:00:00 15 May 2019
R1(config-keychain)#key 2
R1(config-keychain-key)#key-string securetraffic2
R1(config-keychain-key)#accept-lifetime 00:00:00 1 May 2019 00:00:00 15 June 2019
R1(config-keychain-key)#send-lifetime 00:00:00 1 May 2019 00:00:00 15 June 2019
R1#

Apply the Key-Chain to interface to use for authentication

R1#configure terminal
R1(config)#interface g0/0
R1(config-subif)#ip authentication mode eigrp 10 md5
R1(config-subif)#ip authentication key-chain eigrp 10 MYCHAIN
R1(config-subif)#end
R1#

This allows for both keys to be used, the time-limits set on each key-string will tell the router when to use them.

You do the same thing for R2 and the interface that connects to R1. If these do not match key-strings, it will not work.

Adam Tyler

Thank you Ronnie, I am actually going through CCNP route now. I have about a year before my CCNA cert expires. I don't recall seeing this information in the CCNA course, but it has been a while for me. I had a couple of follow up questions regarding the info you provided.

You mention that a key-string should not be used in production. Is the key-chain feature specific to the Cisco platform? I am trying to deploy OSPF in our environment with SonicWALL firewalls using tunnel interfaces (VPN). They don't offer much in the way of authentication for OSPF.. Take a look at their options..

I am able to get OSPF going with "Message Digest", but the command on the Cisco side I am using on the interface is "ip ospf message-digest-key 1 md5 0 MYKEYSTRINGHERE". This is not recommended? Even though the traffic is technically still traversing an encrypted tunnel?

Is all of this logic around key-string and key-chain the same for HSRP authentication or do the rules change?
So, in a key-chain, the string is processed again within the timeframe you specify to produce a unique authentication string which rotates. Assuming you used the same rotation time and original key-string, each side should get the same result. That sounds all well and good to me, am I on the right track? If so, what is the significance of setting a year in your rotation time-frame? Wouldn't you want the key to rotate indefinitely? What happens if the year you use is in the past? Or does the firewall automatically update it as the string is processed?
In my question 1 above I give an example of a key-string I used to get OSPF authentication working between a Cisco device and a SonicWALL. Can you tell me what the significance of the "1" is in the Cisco command? For example, if I were to run a similar command to get OSPF going on a different interface would it be okay to still use "1", or is that globally applicable beyond the interface somehow? For example, would I need to use "2" if I wanted to use a different key-string on a different interface?

"ip ospf message-digest-key 1 md5 0 MYKEYSTRINGHERE"

Ronnie Wong

@Adam-Tyler said in keychain vs key string?:

You mention that a key-string should not be used in production. Is the key-chain feature specific to the Cisco platform?

I'm not sure if the concept is only specific to Cisco or not. I can only tell you that cisco requires a key-string to be attached to the a key-chain. I'm no so familiar with the sonic firewall.

I am able to get OSPF going with "Message Digest", but the command on the Cisco side I am using on the interface is "ip ospf message-digest-key 1 md5 0 MYKEYSTRINGHERE". This is not recommended? Even though the traffic is technically still traversing an encrypted tunnel?

The use of single key that is unchanging is not recommended in production, even when you're using a VPN tunnel.

Is all of this logic around key-string and key-chain the same for HSRP authentication or do the rules change?

As far as I know, it shouldn't change

So, in a key-chain, the string is processed again within the timeframe you specify to produce a unique authentication string which rotates. Assuming you used the same rotation time and original key-string, each side should get the same result. That sounds all well and good to me, am I on the right track?

Yes

If so, what is the significance of setting a year in your rotation time-frame?
You're just trying to set a temporary key that can only be used for that time period. If you set multiple keys within the key-chain without time, they are all active all the time. I'm not sure how you would make them rotate without the time

Wouldn't you want the key to rotate indefinitely? What happens if the year you use is in the past? Or does the firewall automatically update it as the string is processed?

Yes and no. You do want it to change regularly. No, not indefinitely. You could have a router that loses connection or dies. What happens if the key has changed on one side while the router is down, you're not sure what key it's using at the current time.
Setting a time in the past doesn't affect it, it just goes active from that past date until you set an end date. I'm not sure about what the sonic firewall would do.

In my question 1 above I give an example of a key-string I used to get OSPF authentication working between a Cisco device and a SonicWALL. Can you tell me what the significance of the "1" is in the Cisco command?

It is the key number on the key-chain to be used. So a 1 is the first key on the key-chain.

For example, if I were to run a similar command to get OSPF going on a different interface would it be okay to still use "1", or is that globally applicable beyond the interface somehow? For example, would I need to use "2" if I wanted to use a different key-string on a different interface?

So these authentication commands are on a per interface basis, so a 1 on different interfaces is not necessarily the same as a 1 on another interface.