Enabling RIP Authentication

Problem

You want to ensure that all RIP protocol traffic your router accepts comes from devices known to you so that only trusted routers participate in determining how traffic is routed through your network.

Solution

Configure MD5 authentication for RIP:

	aviva@RouterA> configure
	[edit protocols]
	aviva@RouterA# set rip authentication-type md5
	aviva@RouterA# set rip authentication-key 123456
	rip {
	authentication-type md5;
	authentication-key "1$9$CuWOtBIhSrc8XcS24JGiH"; ## SECRET-DATA
	group alpha-rip-group {
	neighbor fe-0/0/0.0;
	}
	}

 

Discussion

It is a good security measure to authenticate all RIP protocol exchanges to ensure that only trusted routers participate in your RIP network and in the exchange of traffic and protocol updates. RIP authentication was added to Version 2 of the protocol standard, so you cannot authenticate RIP Version 1 traffic.

This example shows how to configure RIP to use MD5 authentication. You do this with two statements, one to set the authentication type and another to set the key, or password, that is included in all transmitted RIP packets. MD5 creates an encoded checksum that is included in the transmitted RIP packets. The receiving router verifies this checksum before accepting the packet.

When you display the router's configuration after you have typed the password, the password is displayed in encrypted form. This ensures that someone casually glancing through the configuration does not see the actual password.

You can also configure a simple password for RIP authentication, which includes a plain-text password in the transmitted RIP packets. Plain-text passwords are easy to break by devices that sniff network traffic, so you should never use them when your goal is network security.

For authentication to work across your entire RIP network, you need to configure MD5 authentication and the same password on all your routers in the same way as we show in this recipe. Once you have the encrypted version of the password, you can use it in the authentication-key statement instead of the password itself. This is one way to minimize the number of people who see the actual password.

	aviva@RouterB#  
set rip authentication-key "$9$CuWOtBIhSrc8XcS24JGiH"



Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net