Enabling RIP Authentication
Problem
You want to authenticate your RIP traffic to ensure that unauthorized equipment cannot affect how traffic is routed through your network.
Solution
The following set of commands enables plain-text RIP authentication:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#key chain ORA
Router1(config-keychain)#key 1
Router1(config-keychain-key)#key-string oreilly
Router1(config-keychain-key)#exit
Router1(config)#interface FastEthernet0/0.1
Router1(config-subif)#ip rip authentication key-chain ORA
Router1(config-subif)#ip rip authentication mode text
Router1(config-subif)#exit
Router1(config)#end
Router1#
For greater security, Cisco routers can also use MD5-based authentication:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#key chain ORA
Router1(config-keychain)#key 1
Router1(config-keychain-key)#key-string oreilly
Router1(config-keychain-key)#exit
Router1(config)#interface FastEthernet0/0.1
Router1(config-subif)#ip rip authentication key-chain ORA
Router1(config-subif)#ip rip authentication mode md5
Router1(config-subif)#end
Router1#
Discussion
RIP authentication is one of the protocol enhancements that appeared in Version 2. It is not available for Version 1.
The first configuration example in this recipe uses plain-text authentication. In general, we recommend using the MD5 authentication because the plain-text version is far too easy to break. If you want to set up authentication to ensure that you only receive updates from the appropriate devices, you should use the safer MD5 version. The only reason to consider the less secure plain-text version is if some of the RIP devices cannot support MD5. Because the RFC for RIP Version 2 only describes plain text authentication, some non-Cisco devices do not support MD5 authentication.
Both forms of RIP authentication help to ensure that only legitimate network equipment is allowed to take part in RIP updates. This is particularly important if you have network segments that contain foreign devices that may corrupt the routing tables. This could happen because of malice, but it's also relatively easy for a misconfigured Unix workstation running the routed program to cause serious routing problems.
When you enable plain text authentication, the first route field in each update packet contains the authentication string instead of a route. Note that this implies that each update packet can then hold a maximum of 24 route entries. Because the MD5 authentication scheme carries more information, it uses the first and last route fields in each update packet. So this leaves a maximum of 23 route entries per update packet.
In the example, you can see that the key is applied to an interface. This allows you to specify a different key for each network segment. However, there is nothing to stop you from using the same key on more than one interface, or even a single key throughout the network.
The following debug traces were taken with authentication enabled. The first trace shows plain-text authentication, and includes the password:
Router1#debug ip rip
RIP protocol debugging is on
Aug 12 02:08:03.386: RIP: received packet with text authentication oreilly
Aug 12 02:08:03.390: RIP: received v2 update from 172.25.1.7 on FastEthernet0/0.1
The second trace shows an update containing MD5 authentication. Note that in this case, the router is not able to decode the authentication string. Instead, it compares the encrypted password string with the encrypted version of its own password to see if they match. There are no known methods to uniquely invert MD5 encryption:
Router3#debug ip rip
RIP protocol debugging is on
Aug 11 22:14:50 EDT: RIP: received packet with MD5 authentication
Aug 11 22:14:50 EDT: RIP: received v2 update from 172.25.1.5 on Ethernet0
The show ip protocols command includes information about the authentication key chains:
Router3#show ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 16 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
Ethernet0 2 2 ORA
Routing for Networks:
172.25.0.0
Routing Information Sources:
Gateway Distance Last Update
172.25.1.5 120 00:00:01
Distance: (default is 120)
Router3#
If the router receives a RIP update that has an incorrect key, or no key at all, it will discard the packet, as shown in the following debug trace:
Router3#debug ip rip
RIP protocol debugging is on
Aug 11 22:17:07 EDT: RIP: ignored v2 packet from 172.25.1.5 (invalid authentication)
We will discuss key management schemes, such as setting key lifetimes and using multiple keys when we look at EIGRP authentication. The key management systems are identical on both cases.