THE SCHOOL OF CISCO NETWORKING (SCN): CISCO - BASIC RIPv2 MD5 (MESSAGE DIGEST - 5) AUTHENTICATION:
Contact No:   ### / ###/ ###
Welcome To The IT Knowledge Base Sharing Freeway "Study With The Zero Fees / Zero Money" Web - If We Believe, That If We Have Knowledge, Let Others Light Their Candles With It. - Our Motivation Has Brought Us Together To Offer Our Helping Hands To The Needy Ones Please. "Student Expectations And Satisfaction Is Always Our Highest Priority")
'Love All, Serve All, Help Ever Hurt Never'

Please Welcome To The "Zero Fees And Zero Money SCN Community Study Page"

We Like To Share Our Stuff With Everyone And Hope You Will Find Something Useful Here. Enjoy Our Collection And Come Back Again And Again, We'll Do Our Best To Make It Always Interesting For You. All Our Stuff Always Available May Be 100% Totally Freely. Use Only For Non-Commercial Purposes Only!

THE SCHOOL OF CISCO NETWORKING (SCN) Is A IT Support Community – Based, Non - Profit Volunteer Organizations, Offering Our Assistance And Support To Developmental Our Services Dedicated To All.

Because Large Section Of Our Students In This World, Especially In Villages, Who Are Under Privileged Expecting For Equal Opportunity In Terms Of Money And Education. We Feel The Sufferings Of Talented Students Losing Their Opportunity To Shine Because Of Their Poor Financial Status. So We Thought That Professional Education Will Be Providing Them Freely.

Our Web Site Is To Give An Easy Way To Understand Each And Every Student Who Are Going To Start CISCO Lab Practice Without Any Doubts And Our ARTICLES STUFF Are Always 100% Totally Free For Everyone, Which Is Belongings To THE SCHOOL OF CISCO NETWORKING (SCN).

Also This Guide Provides Technical Guidance Intended To Help All Network Students, Network Administrators And Security Officers Improve Of Their Demonstrated Ability To Achieve Specific objectives Within Set Timeframes.

Hands - On Experience Is An Invaluable Part Of Preparing For The Lab Exam And Never Pass Up An Opportunity To Configure Or Troubleshoot A Router ( If You Have Access To Lab Facilities, Take Full Advantage Of Them) There Is No Replacement For The Experience You Can Gain From Working In A Lab, Where You Can Configure Whatever You Want To Configure And Introduce Whatever Problems You Want To Introduce, Without Risk Of Disrupting A Production Network.

For Better View Of Our Web Page - Please Use Any Latest Web Browser, Such As (Mozilla Firefox, Google Chrome, Opera, Safari, Internet Explorer, Torch, Maxthon, Sea Monkey, Avant Browser, Deepnet Explorer, And Etc ), Because Some Elements Or Scripts Are Not Work In The Old Web Browser (It Might Not Be Displayed Properly Or Are Not Appearing properly!). Thank You For Your Time And Best Of Luck!

Your Sincerely – Premakumar Thevathasan.
"Our Motivation Has Brought Us Together To Offer Our Helping Hands To The Needy Once Please,Thank You."

CISCO - BASIC RIPv2 MD5 (MESSAGE DIGEST - 5) AUTHENTICATION:

INTRODUCTION :


The Authentication Process For RIP v2 Announcements Uses The First Route Entry In The RIP Message To Store Authentication Information. The First Route Entry Must Be Used, Leaving A Maximum Of 24 Routes In A RIP V2 Authenticated Announcement.

RIP-2 Provides For Unauthenticated Service (As In Classical RIP), Or Password Authentication. Both Are Vulnerable To Passive Attacks Currently Widespread In The Internet. Well-Understood Security Issues Exist In Routing Protocols. Clear Text Passwords, Currently Specified For Use With RIP-2, Are No Longer Considered Sufficient.

If Authentication Is Disabled, Then Only Simple Misconfigurations Are Detected. Simple Passwords Transmitted In The Clear Will Further Protect Against The Honest Neighbor, But Are Useless In The General Case. By Simply Capturing Information On The Wire - Straightforward Even In A Remote Environment - A Hostile Process Can Learn The Password And Overcome The Network.

We Propose That RIP-2 Use An Authentication Algorithm, As Was Originally Proposed For SNMP Version 2, Augmented By A Sequence Number. Keyed MD5 Is Proposed As The Standard Authentication Algorithm For RIP-2, But The Mechanism Is Intended To Be Algorithm- Independent.

RIP AUTHENTICATION :


RIP v2 Supports the Use of Authentication Mechanisms to Verify the Origin of Incoming RIP Announcements. Simple Password Authentication Was Defined In RFC 1723, But Newer Authentication Mechanisms Such As Message Digest 5 (MD5) Are Available.

NOTE :RIP Version 1 Does Not Support Authentication. If You Are Sending And Receiving RIP Version 2 Packets, You Can Enable RIP Authentication On An Interface.

The Key Chain Determines The Set Of Keys That Can Be Used On The Interface. If A Key Chain Is Not Configured, No Authentication Is Performed On That Interface, Not Even The Default Authentication.

Therefore, You Must Also Perform The Tasks In The Section "Manage Authentication Keys" In The "Configuring IP Routing Protocol-Independent Features" Chapter.

Two Modes Of Authentication On An Interface For Which Rip Authentication Is Enabled:

  • Plain Text Authentication.

  • And MD5 Authentication.

    The Default Authentication In Every RIP Version 2 Packet Is Plain Text Authentication.

    CONFIGURATIONS STEPS AS FOLLOW IN RIP v2 :


    1. Define A Key Chain With A Name.

    Note: The Key Chain Determines The Set Of Keys That Can Be Used On The Interface. If A Key Chain Is Not Configured, No Authentication Is Performed On That Interface.

    2. Define The Key Or Keys On The Key Chain.

    3. Specify The Password Or Key-String To Be Used In The Key.

    This Is The Authentication String That Must Be Sent And Received In The Packets Using The Routing Protocol Being Authenticated. (In The Example Given Below, The Value Of The String Is 234.)

    4. Enable Authentication On An Interface And Specify The Key Chain To Be Used.

    Since Authentication Is Enabled On A Per Interface Basis, A Router Running Ripv2 Can Be Configured For Authentication On Certain Interfaces And Can Operate Without Any Authentication On Other Interfaces.

    5. Specify Whether The Interface Will Use Plain Text Or MD5 Authentication.

    The Default Authentication Used In Ripv2 Is Plain Text Authentication, When Authentication Is Enabled In The Previous Step. So, If Using Plain Text Authentication, This Step Is Not Required.

    6. Configure Key Management (This Step Is Optional).

    CONFIGURATION EXAMPLE :


    STEP 1:

    IP RIP Authentication Key-Chain Name-Of-Chain - > Enable Rip Authentication.

    STEP 2:

    IP RIP Authentication Mode {Text | MD5} - > Configure The Interface To Use Md5 Digest Authentication (Or Let It Default To Plain Text Authentication).

    RIP AUTHENTICATION (Interface Command) :


    # IP RIP AUTHENTICATION MODE MD5
    # NO IP RIP AUTHENTICATION MODE MD5

    SET THE INTERFACE WITH RIPV2 MD5 AUTHENTICATION.

    #IP RIP AUTHENTICATION MODE TEXT
    #NO IP RIP AUTHENTICATION MODE TEXT

    SET THE INTERFACE WITH RIPV2 SIMPLE PASSWORD AUTHENTICATION.

    #IP RIP AUTHENTICATION STRING STRING
    #NO IP RIP AUTHENTICATION STRING STRING

    RIP VERSION 2 HAS SIMPLE TEXT AUTHENTICATION. THIS COMMAND SETS AUTHENTICATION STRING. THE STRING MUST BE SHORTER THAN 16 CHARACTERS.

    #IP RIP AUTHENTICATION KEY-CHAIN KEY-CHAIN
    #NO IP RIP AUTHENTICATION KEY-CHAIN KEY-CHAIN

    DISABLE ROUTE SUMMARIZATION:


    By Default RIP Version 2 Supports Automatic Route Summarization. The Software Summarizes Subprefixes To The Classful Network Boundary When Crossing Classful Network Boundaries.

    If You Have Disconnected Subnets, Disable Automatic Route Summarization To Advertise The Subnets. When Route Summarization Is Disabled, The Software Transmits Subnet And Host Routing Information Across Classful Network Boundaries. To Disable Automatic Summarization.

    No Auto-Summary - > Disable Automatic Summarization.

    DISABLE THE VALIDATION OF SOURCE IP ADDRESSES


    By Default, The Software Validates The Source IP Address Of Incoming RIP Routing Updates. If That Source Address Is Not Valid, The Software Discards The Routing Update.

    You Might Want To Disable This Feature If You Have A Router That Is "Off Network" And You Want To Receive Its Updates. However, Disabling This Feature Is Not Recommended Under Normal Circumstances.

    No Validate-Update-Source

    Disable The Validation Of The Source IP Address Of Incoming RIP Routing Updates.


    CONFIGURE


    CONFIGURE:



    CONFIGURING PLAIN TEXT AUTHENTICATION :

    One Of The Two Ways In Which RIP Updates Can Be Authenticated Is Using Plain Text Authentication. This Can Be Configured As Shown In The Tables Below.

    CLEAR TEXT - ON ROUTER 1 :


    Key Chain Kal

    !--- Name A Key Chain. A Key Chain May Contain More Than One Key For Added Security.
    !--- It Need Not Be Identical On The Remote Router.

    Key 1

    !--- This Is The Identification Number Of An Authentication Key On A Key Chain.
    !--- It Need Not Be Identical On The Remote Router.

    Key-String 234

    !--- The Actual Password Or Key-String.
    !--- It Needs To Be Identical To The Key-String On The Remote Router.

    !

    Interface Loopback0

    Ip Address 70.70.70.70 255.255.255.255
    !

    Interface Serial0
    Ip Address 141.108.0.10 255.255.255.252
    Ip Rip Authentication Key-Chain Kal

    !--- Enables Authentication On The Interface And Configures
    !--- The Key Chain That Will Be Used.

    !

    Router Rip
    Version 2
    Network 141.108.0.0
    Network 70.0.0.0

    CLEAR TEXT - ON ROUTER 2:


    Key Chain Kal
    Key 1
    Key-String 234

    !

    Interface Loopback0
    Ip Address 80.80.80.1 255.255.255.0

    !

    Interface Serial0
    Ip Address 141.108.0.9 255.255.255.252
    Ip Rip Authentication Key-Chain Kal
    Clockrate 64000

    !

    Router Rip

    Version 2
    Network 141.108.0.0
    Network 80.0.0.0

    CONFIGURING MD5 AUTHENTICATION :


    MD5 Authentication Is An Optional Authentication Mode Added By Cisco To The Original RFC 1723-Defined Plain Text Authentication. The Configuration Is Identical To That For Plain Text Authentication, Except For The Use Of The Additional Command IP RIP Authentication Mode MD5 .

    Users Must Configure Router Interfaces On Both Sides Of The Link For The MD5 Authentication Method, Making Sure The Key Number And Key String Match On Both Sides.

    MD5 - ON ROUTER A:


    Key Chain Kal

    !--- Need Not Be Identical On The Remote Router.

    Key 1

    !--- Needs To Be Identical On Remote Router.

    Key-String 234
    !--- Needs To Be Identical To The Key-String On The Remote Router.

    !

    Interface Loopback0

    Ip Address 70.70.70.70 255.255.255.255

    !

    Interface Serial0
    Ip Address 141.108.0.10 255.255.255.252
    Ip Rip Authentication Mode Md5

    !--- Specifies The Type Of Authentication Used
    !--- In Ripv2 Packets.
    !--- Needs To Be Identical On Remote Router.

    !-- To Restore Clear Text Authentication, Use The No Form Of This Command.

    Ip Rip Authentication Key-Chain Kal

    !

    Router Rip
    Version 2
    Network 141.108.0.0
    Network 70.0.0.0

    MD5 - ON ROUTER B:


    Key Chain Kal
    Key 1
    Key-String 234

    !

    Interface Loopback0
    Ip Address 80.80.80.1 255.255.255.0
    !

    Interface Serial0

    Ip Address 141.108.0.9 255.255.255.252

    Ip Rip Authentication Mode Md5
    Ip Rip Authentication Key-Chain Kal
    Clockrate 64000

    !

    Router Rip
    Version 2
    Network 141.108.0.0
    Network 80.0.0.0

    VERIFY:


    Verifying Plain Text Authentication

    This Section Provides Information To Confirm Your Configuration Is Working Properly.

    By Configuring The Routers As Shown Above, All Routing Update Exchanges Will Be Authenticated Before Being Accepted. This Can Be Verified By Observing The Output Obtained From The DEBUG IP RIP And SHOW IP ROUTE Commands.

    NOTE: Before Issuing Debug Commands, Refer To Important Information On Debug Commands.

    RB#Debug Ip Rip
    RIP Protocol Debugging Is On
    *Mar 3 02:11:39.207: RIP: Received Packet With Text Authentication 234
    *Mar 3 02:11:39.211: RIP: Received V2 Update From 141.108.0.10 On Serial0
    *Mar 3 02:11:39.211: RIP: 70.0.0.0/8 Via 0.0.0.0 In 1 Hops
    RB#Show Ip Route
    R 70.0.0.0/8 [120/1] Via 141.108.0.10, 00:00:25, Serial0
    80.0.0.0/24 Is Subnetted, 1 Subnets
    C 80.80.80.0 Is Directly Connected, Loopback0
    141.108.0.0/30 Is Subnetted, 1 Subnets
    C 141.108.0.8 Is Directly Connected, Serial0
    Using Plain Text Authentication Improves The Network Design By Preventing The Addition Of Routing Updates Originated By Routers Not Meant To Take Part In The Local Routing Exchange Process. However, This Type Of Authentication Is Not Secure.

    The Password (234 In This Example) Is Exchanged In Plain Text. It Can Be Captured Easily And Thus Exploited. As Mentioned Before, MD5 Authentication Must Be Preferred Over Plain Text Authentication When Security Is An Issue.

    VERIFYING MD5 AUTHENTICATION:


    By Configuring The RA And RB Routers As Shown Above, All Routing Update Exchanges Will Be Authenticated Before Being Accepted. This Can Be Verified By Observing The Output Obtained From The DEBUG IP RIP And SHOW IP ROUTE Commands.

    RB#Debug Ip Rip
    RIP Protocol Debugging Is On
    *Mar 3 20:48:37.046: RIP: Received Packet With MD5 Authentication
    *Mar 3 20:48:37.046: RIP: Received V2 Update From 141.108.0.10 On Serial0
    *Mar 3 20:48:37.050: 70.0.0.0/8 Via 0.0.0.0 In 1 Hops

    RB#Show Ip Route
    R 70.0.0.0/8 [120/1] Via 141.108.0.10, 00:00:03, Serial0
    80.0.0.0/24 Is Subnetted, 1 Subnets
    C 80.80.80.0 Is Directly Connected, Loopback0
    141.108.0.0/30 Is Subnetted, 1 Subnets
    C 141.108.0.8 Is Directly Connected, Serial0

    MD5 Authentication Uses The One-Way, MD5 Hash Algorithm, Acknowledged To Be A Strong Hashing Algorithm. In This Mode Of Authentication, The Routing Update Does Not Carry The Password For The Purpose Of Authentication. Rather, A 128-Bit Message, Generated By Running The MD5 Algorithm On The Password, And The Message Are Sent Along For Authentication. Thus, It Is Recommended To Use MD5 Authentication Over Plain Text Authentication Since It Is More Secure.


    RIP MD5 AUTHENTICATION EXAMPLE


    THE FOLLOWING SET OF COMMANDS ENABLES PLAIN-TEXT RIP AUTHENTICATION :


    Router 1 ----------------- Router 2



    Router1#Configure Terminal
    Enter Configuration Commands, One Per Line. End With Cntl/Z.

    Router1(Config)#Key Chain Prem
    Router1(Config-Keychain)#Key 1

    Router1(Config-Keychain-Key)#Key-String CCNP
    Router1(Config-Keychain-Key)#Exit

    Router1(Config)#Interface Fastethernet0/0.1
    Router1(Config-Subif)#Ip Rip Authentication Key-Chain Prem
    Router1(Config-Subif)#Ip Rip Authentication Mode Text

    Router1(Config-Subif)#Exit
    Router1(Config)#End
    Router1#

    For Greater Security, Cisco Routers Can Also Use MD5-Based Authentication :

    Router1#Configure Terminal
    Enter Configuration Commands, One Per Line. End With Cntl/Z.

    Router1(Config)#Key Chain Prem
    Router1(Config-Keychain)#Key 1
    Router1(Config-Keychain-Key)#Key-String CCNP

    Router1(Config-Keychain-Key)#Exit

    Router1(Config)#Interface Fastethernet0/0.1
    Router1(Config-Subif)#Ip Rip Authentication Key-Chain Prem
    Router1(Config-Subif)#Ip Rip Authentication Mode Md5

    Router1(Config-Subif)#End
    Router1#

    DISCUSSION:


    Rip Authentication Is One Of The Protocol Enhancements That Appeared In Version 2. It Is Not Available For Version 1.

    The First Configuration Example In This Recipe Uses Plain-Text Authentication. In General, We Recommend Using The Md5 Authentication Because The Plain-Text Version Is Far Too Easy To Break.

    If You Want To Set Up Authentication To Ensure That You Only Receive Updates From The Appropriate Devices, You Should Use The Safer MD5 Version. The Only Reason To Consider The Less Secure Plain-Text Version Is If Some Of The Rip Devices Cannot Support MD5.

    Because The RFC For Rip Version 2 Only Describes Plain Text Authentication, Some Non-Cisco Devices Do Not Support MD5 Authentication.

    Both Forms Of Rip Authentication Help To Ensure That Only Legitimate Network Equipment Is Allowed To Take Part In Rip Updates.

    This Is Particularly Important If You Have Network Segments That Contain Foreign Devices That May Corrupt The Routing Tables. This Could Happen Because Of Malice, But It's Also Relatively Easy For A Misconfigured Unix Workstation Running The Routed Program To Cause Serious Routing Problems.

    When You Enable Plain Text Authentication, The First Route Field In Each Update Packet Contains The Authentication String Instead Of A Route.

    NOTE: That This Implies That Each Update Packet Can Then Hold A Maximum Of 24 Route Entries. Because The MD5 Authentication Scheme Carries More Information, It Uses The First And Last Route Fields In Each Update Packet. So This Leaves A Maximum Of 23 Route Entries Per Update Packet.

    In The Example: You Can See That The Key Is Applied To An Interface. This Allows You To Specify A Different Key For Each Network Segment. However, There Is Nothing To Stop You From Using The Same Key On More Than One Interface, Or Even A Single Key Throughout The Network.

    The Following Debug Traces Were Taken With Authentication Enabled. The First Trace Shows Plain-Text Authentication, And Includes The Password:

    Router1#Debug Ip Rip

    Rip Protocol Debugging Is On
    Aug 12 02:08:03.386: Rip: Received Packet With Text Authentication Oreilly
    Aug 12 02:08:03.390: Rip: Received V2 Update From 172.25.1.7 On Fastethernet0/0.1




    CONCLUSION:


    The Goal Of This Article Is To Give An Easy Way To Understand The “CISCO - BASIC RIP AUTHENTICATION.”Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts. Thank You And Best Of Luck.

    This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.

    DISCLAIMER:


    This Document Carries No Explicit Or Implied Warranty. Nor Is There Any Guarantee That The Information Contained In This Document Is Accurate. Every Effort Has Been Made To Make All Articles As Complete And As Accurate As Possible.

    It Is Offered In The Hopes Of Helping Others, But You Use It At Your Own Risk. The Author Will Not Be Liable For Any Special, Incidental, Consequential Or Indirect Any Damages Due To Loss Of Data Or Any Other Reason That Occur As A Result Of Using This Document. But No Warranty Or Fitness Is Implied. The Information Provided Is On An "As Is" Basic. All Use Is Completely At Your Own Risk.





    The School Of Cisco Networking (SCN)
    • Date & Time: Labels:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)