Routing Advice Protocol
Beside changeless routes, the PIX firewall additionally supports Acquisition Advice Protocol
(RIP) versions 1 and 2.This agreement is the simplest activating acquisition protocol
and is declared in RFCs 1058, 1388, and 2082. Roughly speaking, a router
broadcasts (or it may use multicast in adaptation 2) its absolute acquisition table to its
neighbors, and they amend their tables.
Each PIX interface can be configured either to advertisement (multicast) itself as a
default avenue for the arrangement or to irenic accept for acquisition updates from other
routers on the LAN.The simple syntax of the RIP agreement command is as
follows:
rip
The absence and acquiescent keywords ascertain the approach RIP runs on the interface
if_name.The absence constant specifies that a absence avenue should be advertised,
and acquiescent agency alert for updates from added routers.The adaptation parameter
specifies the adaptation of RIP to use on the interface. If a adaptation is not specified,
version 1 is assumed.The above differences amid RIPv1 and RIPv2 are that
RIPv2 can use multicast to the abode 224.0.0.9 instead of broadcasts and that it
can use authentication. RIPv1 uses broadcasts alone and no affidavit of
updates. RIPv2 is additionally a classless acquisition protocol, which agency that it can
exchange acquisition advice for networks such as 172.16.1.0/24, admitting RIP
v1 uses alone networks of A, B, and C classes—for example, Class B network
171.16.0.0/16. Generally, it is bigger to use RIPv2 if there is no charge to interact
with earlier RIPv1 devices.
NOTE
Before PIX adaptation 5.3, the PIX firewall was able of application alone broadcasts
for RIPv2. Versions 5.3 and after use multicast to the address
224.0.0.9. By default, back you use RIPv2 on the PIX, it sends updates
to 224.0.0.9. If acquiescent approach is configured with RIPv2, the PIX accepts
multicast updates with the abode of 224.0.0.9, and this multicast
address is registered on the agnate interface. Alone Intel 10/100
and Gigabit interfaces abutment multicasting. Back RIP configuration
commands are removed from the configuration, this multicast abode is
unregistered from the interface.
If you accept a router that talks multicast RIPv2 to an earlier PIX (before
version 5.3), the PIX will not accept any updates. It is accessible to switch
the router into unicast approach application a command acquaintance
in its RIP agreement section. The PIX is able of accepting unicast
updates in any adaptation that supports RIP.
Here is an archetype of RIP v1 configuration:
PIX1(config)# appearance rip
rip alfresco passive
no rip alfresco default
www.syngress.com
Advanced PIX Configurations • Chapter 4 201
rip central passive
no rip central default
PIX1(config)# rip central default
PIX1(config)# appearance rip
rip alfresco passive
no rip alfresco default
rip central passive
rip central default
The aboriginal appearance rip command displays the absence accompaniment of configuration: all
interfaces accept passively.Then the central interface is configured to advertisement itself
as a absence route. Note that the acquiescent alert approach was not angry off by this
mode; you would charge to attenuate it alone with no rip central acquiescent if you
wanted to about-face it off.
RIP v2 additionally supports two types of authentication: cleartext passwords and
MD5 hashes.This affection of RIPv2 agreement adds one added acreage to the transmitted
routing update—an affidavit field. It can accommodate either a cleartext
password (not recommended) or a keyed MD5 assortment of the accomplished message. Keyed
means that there is a key that is acclimated to compute a assortment amount of the message.
PIX agreement is actual simple in both cases: An added constant needs to be
added to the basal agreement command:
rip
For example, the afterward command uses a cleartext countersign of mysecretkey
while broadcasting the absence aperture on the central interface:
rip central absence adaptation 2 affidavit argument mysecretkey 1
The afterward command lists alone the letters with a actual MD5 hash
keyed by a key anothersecretkey:
rip alfresco acquiescent adaptation 2 affidavit md5 anothersecretkey 2
The key_id constant (a cardinal at the end of the line) is a key identification
value and charge be the aforementioned on all routers with which the PIX communicates.
RIP affidavit on routers is added complicated.You charge to set up a key
chain with some keys (these keys are numbered and are absolutely the key_id you
need to accommodate in configuring PIX) and about-face the affidavit on. A sample
partial router agreement agnate to our case of MD5 affidavit is:
www.syngress.com
202 Chapter 4 • Advanced PIX Configurations
interface ethernet 0
ip rip affidavit key-chain mykeys
ip rip affidavit approach md5
!
router rip
network 172.16.0.0
version 2
!
key alternation mykeys
key 2
key-string anothersecretkey
NOTE
The PIX firewall is able to abutment one and alone one key ID per interface.
Keys accept absolute lifetimes, and it is recommended that you change
them every two weeks or so. Note additionally that if you use Telnet to configure
these keys, they ability be exposed.
The bright rip agreement approach command removes all RIP configuration
statements from the PIX firewall.