RIP version 1 does not support authentication. RIP version 2 supports plain text and md5 authentication. The difference between md5 and plain text authentication is that the key string is unencrypted in plain text so it can be seen be anyone who can see or sniff the packet. So MD5 authtication is more secure. There is no point in not using MD5.
We will first configure MD5 authentication and see how just change of one word in MD5 authentication leads to plain-text authentication.
MD5 Authentication:
Step 1 : Configure key chain
R1(config)#key chain sandesh ### 'sandesh' is the name of key chain which enables
authentication for routing protocols.
R1(config-keychain)#key 1 ###Identifies an authentication key on a key chain.
R1(config-keychain-key)# key-string passpass ###Specifies the authentication key string for a key
in this case the key-string is 'passpass'
Step 2: Configure interface
R1(config)#int fa0/0
R1(config-if)#ip rip authentication mode md5
R1(config-if)#ip rip authenticaiton key-chain sandesh
Repeat the same configuration on the other router and the directly connected interface. Thats all you need to do for MD5 authentication.
Plain Text Authentication
To configure plain text authentication just change the configuration of the directly connected interfaces. Step 1 is same for both
Step 2: Configure interface
R1(config)#int fa0/0
R1(config-if)#ip rip authentication mode text
R1(config-if)#ip rip authenticaiton key-chain sandesh
To check the key chain in cisco route use the following command:
R1#show key chain
Key-chain sandesh:
key 1 -- text "passpass"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
In the above result we can see that the key 1 has two properties, accept lifetime and send lifetime.
These properties define the validiy of the key 1. It means that the key 1 is always valid.
Cisco routers provide the flexibility to configure multiple keys valid for different periods of time. This adds to the security of the rip updates.
Changing Validity of key in RIP
To change the validity of keys in RIP, we need to specifiy the start time of key validity and the end time or duration.
R2(config)#key chain sandesh
R2(config-keychain)#key 1
R2(config-keychain-key)#send-lifetime hh:mm:ss <1-31> MONTH <1993-2035> hh:mm:ss
<1-31> MONTH <1993-2035> ### start time and end time
Instead of end time we can specify the duration in seconds as well
R2(config)#key chain sandesh
R2(config-keychain)#key 1
R2(config-keychain-key)#send-lifetime hh:mm:ss <1-31> MONTH <1993-2035> duration
<1-2147483646>
The other option is infinite which means that the key is valid as long as the key is there.
R2(config)#key chain sandesh
R2(config-keychain)#key 1
R2(config-keychain-key)#send-lifetime hh:mm:ss <1-31> MONTH <1993-2035> infinite
With this flexibility provided by cisco routers, we can have multiple keys for a pair of directly connected interfaces each valid at different period of time.
We will first configure MD5 authentication and see how just change of one word in MD5 authentication leads to plain-text authentication.
MD5 Authentication:
Step 1 : Configure key chain
R1(config)#key chain sandesh ### 'sandesh' is the name of key chain which enables
authentication for routing protocols.
R1(config-keychain)#key 1 ###Identifies an authentication key on a key chain.
R1(config-keychain-key)# key-string passpass ###Specifies the authentication key string for a key
in this case the key-string is 'passpass'
Step 2: Configure interface
R1(config)#int fa0/0
R1(config-if)#ip rip authentication mode md5
R1(config-if)#ip rip authenticaiton key-chain sandesh
Repeat the same configuration on the other router and the directly connected interface. Thats all you need to do for MD5 authentication.
Plain Text Authentication
To configure plain text authentication just change the configuration of the directly connected interfaces. Step 1 is same for both
Step 2: Configure interface
R1(config)#int fa0/0
R1(config-if)#ip rip authentication mode text
R1(config-if)#ip rip authenticaiton key-chain sandesh
To check the key chain in cisco route use the following command:
R1#show key chain
Key-chain sandesh:
key 1 -- text "passpass"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
In the above result we can see that the key 1 has two properties, accept lifetime and send lifetime.
These properties define the validiy of the key 1. It means that the key 1 is always valid.
Cisco routers provide the flexibility to configure multiple keys valid for different periods of time. This adds to the security of the rip updates.
Changing Validity of key in RIP
To change the validity of keys in RIP, we need to specifiy the start time of key validity and the end time or duration.
R2(config)#key chain sandesh
R2(config-keychain)#key 1
R2(config-keychain-key)#send-lifetime hh:mm:ss <1-31> MONTH <1993-2035> hh:mm:ss
<1-31> MONTH <1993-2035> ### start time and end time
Instead of end time we can specify the duration in seconds as well
R2(config)#key chain sandesh
R2(config-keychain)#key 1
R2(config-keychain-key)#send-lifetime hh:mm:ss <1-31> MONTH <1993-2035> duration
<1-2147483646>
The other option is infinite which means that the key is valid as long as the key is there.
R2(config)#key chain sandesh
R2(config-keychain)#key 1
R2(config-keychain-key)#send-lifetime hh:mm:ss <1-31> MONTH <1993-2035> infinite
With this flexibility provided by cisco routers, we can have multiple keys for a pair of directly connected interfaces each valid at different period of time.
No comments:
Post a Comment