In this article I will configure, debug and shows the process of RIPv2 authentication.
Authentication methods
- Plain text
- MD5
Note 1: When using plain text authentication mode, make sure that the following parameters are matching on neighboring routers for successful authentication.
- Key-string
- Authentication mode
Note 2: When using MD5 authentication mode, for successful authentication make sure that the following parameters are matching on neighboring routers.
- Key-string.
-
Key number.
- key number is inserted into a RIP packet to indicate which key should be used for verification.
-
Authentication mode.
- MD5 or Plain Text
Used commands
key chain RIP key 1 key-string password
ip rip authentication mode md5
ip rip authentication key-chain RIP
Simulated topology example
In this example I will use following topology emulated inside ofthe GNS3/Dynagen. Routers will have only basic configuration (IP adresses, names, RIP routing).
|—-FA0/0-(192.168.1.0/24)—-|Left|—-fa1/0—-(1.0.0.0/24)—-sfa0/0—-|Right|—-Fa1/0-(2.0.0.0/8)—-|
GNS3 config
autostart = True [qemu localhost] workingdir = C:\Program Files\GNS3\labs\secure-lab_working udp = 20000 [localhost:7200] workingdir = C:\Program Files\GNS3\labs\secure-lab_working udp = 10000 [[2621XM]] chassis = 2621XM image = C:\Program Files\Dynamips\images\c2600-adventerprisek9-mz.124-17.image ram = 128 ghostios = True sparsemem = True idlepc = 0x80248674 [[2691]] image = C:\Program Files\Dynamips\images\c2691-i-mz.123-22.image idlepc = 0x60559bc8 ghostios = True sparsemem = True [[ROUTER R1]] model = 2691 console = 2007 f0/1 = R7 f0/0 slot1 = NM-1FE-TX x = -107.0 y = -38.0 [[ROUTER R2]] model = 2621XM console = 2008 f0/0 = R6 f0/1 x = 43.0 y = -106.0 [GNS3-DATA] configs = secure-lab_configs workdir = secure-lab_working
Basic configuration
Configuration of the IP addressing and RIP v2 routing, everything works.
Router Left
interface FastEthernet0/0 ip address 192.168.1.222 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 1.0.0.1 255.255.255.0 speed auto half-duplex ! router rip version 2 network 1.0.0.0 network 192.168.1.0 !
Router Right
interface FastEthernet0/0 ip address 1.0.0.2 255.255.255.0 speed auto half-duplex ! interface FastEthernet0/1 ip address 2.0.0.1 255.0.0.0 duplex auto speed auto no keepalive ! router rip version 2 network 1.0.0.0 network 2.0.0.0 !
Routing table check
On the Left router
Left#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.0.0.0 is directly connected, FastEthernet0/1 R 2.0.0.0/8 [120/1] via 1.0.0.2, 00:00:00, FastEthernet0/1 C 192.168.1.0/24 is directly connected, FastEthernet0/0 Left#
On the Right router
Right#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.0.0.0 is directly connected, FastEthernet0/0 C 2.0.0.0/8 is directly connected, FastEthernet0/1 R 192.168.1.0/24 [120/1] via 1.0.0.1, 00:00:02, FastEthernet0/0
Admin ping work fine
Left#ping Protocol [ip]: Target IP address: 2.0.0.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.1.222 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.0.0.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.222 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/48/112 ms Left#
Configuring RIPv2 authentication – MD5
First, I will configure key chain on the router Right
Right(config)#key chain rip
Right(config-keychain)#key 1
Right(config-keychain-key)#key-string password
Right(config-keychain-key)#^Z
and I will configure authentication on the fastethernet fa 0/0 intrerface
Right(config-if)#int fa 0/0
Right(config-if)#ip rip authentication mode md5
Right(config-if)#ip rip authentication key-chain rip
Right(config-if)#
if I do not configure RIP auth on the router Left, router does not authenticated updates, routing infos will be flushed out, and it will contain only directly connected nets on both routers.
Left#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.0.0.0 is directly connected, FastEthernet0/1 C 192.168.1.0/24 is directly connected, FastEthernet0/0 Left#
Right#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.0.0.0 is directly connected, FastEthernet0/0 C 2.0.0.0/8 is directly connected, FastEthernet0/1
and capture will show following update packets. From Right routers goes updates with ath fields filled in:
and Left router sends pure RIPv2 update without auth informations:
When I will configure the Left router to use authentication too
Left#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Left(config)#key chain rip
Left(config-keychain)#key 1
Left(config-keychain-key)#key-string password
Left(config-keychain-key)#exit
Left(config-keychain)#exit
Left(config)#int fa 0/1
Left(config-if)#ip rip authentication mode md5
Left(config-if)#ip rip authentication key-chain rip
Left(config-if)#
updates will works, as show ip route show us
Left#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.0.0.0 is directly connected, FastEthernet0/1 R 2.0.0.0/8 [120/1] via 1.0.0.2, 00:00:26, FastEthernet0/1 C 192.168.1.0/24 is directly connected, FastEthernet0/0
Right#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.0.0.0 is directly connected, FastEthernet0/0 C 2.0.0.0/8 is directly connected, FastEthernet0/1 R 192.168.1.0/24 [120/1] via 1.0.0.1, 00:00:26, FastEthernet0/0 Right#