evilrouters.net

I found this post saved and realized that it had never been uploaded to the site, so here you go.

Two routers, R1 and R2, directly connected via their serial 0/0 interfaces. We want to authenticate the routing updates sent and received by these two routers. Note that we have to use RIP version 2 (RIPv2), since RIP version 1 does not support authentication.

For RIP authentication, we have two options: plain text or MD5. I would recommend never using plain-text anything, but we’ll configure both for the sake of completeness. Let’s get started:

Let’s configure a loopback interface on each router and then get our serial connection up and running:

R1# configure terminal
R1(config)# interface loopback 0
R1(config-if)# ip address 1.1.1.1 255.255.255.255
R1(config-if)# interface serial 0/0
R1(config-if)# ip address 172.16.12.1 255.255.255.252
R1(config-if)# no shutdown
R1(config-if)# end

R2# configure terminal
R2(config)# interface loopback 0
R2(config-if)# ip address 2.2.2.2 255.255.255.255
R2(config-if)# interface serial 0/0
R2(config-if)# ip address 172.16.12.2 255.255.255.252
R2(config-if)# no shutdown
R2(config-if)# end

Verify connectivity:

R1# ping 172.16.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/25/64 ms
R1#

Configure RIPv2

It’s back to basics time. Before we jump right into authentication, let’s get just basic RIP working and exchanging updates first:

R1# configure terminal
R1(config)# router rip
R1(config-router)# no auto-summary
R1(config-router)# version 2
R1(config-router)# network 1.0.0.0
R1(config-router)# network 172.16.0.0
R1(config-router)# end

R2# configure terminal
R2(config)# router rip
R2(config-router)# no auto-summary
R2(config-router)# version 2
R2(config-router)# network 2.0.0.0
R2(config-router)# network 172.16.0.0
R2(config-router)# end

Verify RIP

Verify that the routers are exchanging routes via RIP:

R1# sh ip route rip
     2.0.0.0/32 is subnetted, 1 subnets
R       2.2.2.2 [120/1] via 172.16.12.2, 00:00:02, Serial0/0

R2# sh ip route rip
     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/1] via 172.16.12.1, 00:00:11, Serial0/0

Excellent! Let’s create our key chain, key, and key string that we’ll use for authentication:

Configure authentication parameters

R1# configure terminal
R1(config)# key chain RIP
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string RGjtl5ANYa
R1(config-keychain-key)# end

R2# configure terminal
R2(config)# key chain RIP
R2(config-keychain)# key 1
R2(config-keychain-key)# key-string RGjtl5ANYa
R2(config-keychain-key)# end

A couple of quick notes:

• The key chain name, “RIP”, is user-defined and can be whatever you want it to be. It does not need to be the same on both routers.
• The identifier number of the authentication key, “key 1″, does not need to be identical UNLESS you are using MD5 authentication.
• The key string, “key-string RGjtl5ANYa”, is the actual password. It does, of course, need to match on both sides.

The only things left to do are enable authentication on the serial 0/0 interfaces and to specify the authentication method we’re going to use. Plain text authentication is the default, and can be left out.

Configure plain-text authentication

R1# configure terminal
R1(config)# interface serial 0/0
R1(config-if)# ip rip authentication key-chain RIP
R1(config-if)# end

R2# configure terminal
R2(config)# interface serial 0/0
R2(config-if)# ip rip authentication key-chain RIP
R2(config-if)# end

Verify plain-text authentication

We can verify that authentication is enabled by using “debug ip rip”, as shown here:

R1# debug ip rip
RIP protocol debugging is on
R1#
*Mar  1 01:36:50.743: RIP: sending v2 update to 224.0.0.9 via Serial0/0 (172.16.12.1)
*Mar  1 01:36:50.747: RIP: build update entries
*Mar  1 01:36:50.747:   1.1.1.1/32 via 0.0.0.0, metric 1, tag 0
R1#
*Mar  1 01:37:02.695: RIP: received packet with text authentication RGjtl5ANYa
*Mar  1 01:37:02.695: RIP: received v2 update from 172.16.12.2 on Serial0/0
*Mar  1 01:37:02.695:      2.2.2.2/32 via 0.0.0.0 in 1 hops
R1#
*Mar  1 01:37:05.111: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1)
*Mar  1 01:37:05.111: RIP: build update entries
*Mar  1 01:37:05.111:   2.2.2.2/32 via 0.0.0.0, metric 2, tag 0
*Mar  1 01:37:05.111:   172.16.12.0/30 via 0.0.0.0, metric 1, tag 0
*Mar  1 01:37:05.111: RIP: ignored v2 packet from 1.1.1.1 (sourced from one of our addresses)
R1# undebug all

Note that our password (key string) is plainly visible in the received RIP updates. Not only are they visible to us, but they would be visible to any eavesdroppers on the network as well. Plain-text authentication really gets us nothing. A much better choice is MD5 authentication.

Configure and verify MD5 authentcation

With everything else in place, MD5 authentication is just one command away. In interface configuration mode, we specify the type of authentication being used with the “ip rip authentication mode …” command. It defaults to plain-text, which is why we did not need to specify it above.

Let’s set the authentication mode to MD5 on R1, then we’ll start a debug on R2 before setting MD5 authentication there as well:

R1# configure terminal
R1(config)# interface serial 0/0
R1(config-if)# ip rip authentication mode md5
R1(config-if)# end

R2# debug ip rip
RIP protocol debugging is on
R2#
*Mar  1 01:50:29.963: RIP: ignored v2 packet from 172.16.12.1 (invalid authentication)
R2# configure terminal
R2(config)# interface serial 0/0
R2(config-if)# ip rip authentication mode md5
R2(config-if)# end
R2#
*Mar  1 01:50:56.823: RIP: received packet with MD5 authentication
*Mar  1 01:50:56.827: RIP: received v2 update from 172.16.12.1 on Serial0/0
*Mar  1 01:50:56.831:      1.1.1.1/32 via 0.0.0.0 in 1 hops
R2# undebug all

In the “debug ip rip” on R2, we see that we have ignored a packet due to “invalid authentication”. This is because MD5 authentication had already been enabled on R1, but not on R2. R1 was sending MD5 authenticated updates but R2 was still configured to use plain-text authentication so it discarded the update. Once we configured MD5 authentication on R2 as well, we see that we received an update “with MD5 authentication”. Note that the authentication key is NOT visible, as opposed to when we used plain-text authentication.

RIP authentication is extremely easy to configure and there is no good reason not to use MD5 authentication, as is (hopefully) clearly visible from the exercises above.

May all your updates be secure!