Pages

Monday, November 24, 2014

Authentication in RIP v2

RIP version 1 does not support authentication. RIP version 2 supports plain text and md5 authentication. The difference between md5 and plain text authentication is that the key string is unencrypted in plain text so it can be seen be anyone who can see or sniff the packet. So MD5 authtication is more secure. There is no point in not using MD5.

We will first configure MD5 authentication and see how just change of one word in MD5 authentication leads to plain-text authentication.

MD5 Authentication:

Step 1 : Configure key chain

R1(config)#key chain sandesh   ### 'sandesh' is the name of key chain which enables
                                                                authentication  for routing protocols.
R1(config-keychain)#key 1       ###Identifies an authentication key on a key chain.
R1(config-keychain-key)# key-string passpass    ###Specifies the authentication key string for a key
                                                                      in this case the key-string is 'passpass'

Step 2: Configure interface

R1(config)#int fa0/0
R1(config-if)#ip rip authentication mode md5
R1(config-if)#ip rip authenticaiton key-chain sandesh

Repeat the same configuration on the other router and the directly connected interface. Thats all you need to do for MD5 authentication.

Plain Text Authentication

To configure plain text authentication just change the configuration of the directly connected interfaces. Step 1 is same for both

Step 2: Configure interface

R1(config)#int fa0/0
R1(config-if)#ip rip authentication mode text
R1(config-if)#ip rip authenticaiton key-chain sandesh

To check the key chain in cisco route use the following command:

R1#show key chain
Key-chain sandesh:
    key 1 -- text "passpass"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

In the above result we can see that the key 1 has two properties, accept lifetime and send lifetime.
These properties define the validiy of the key 1. It means that the key 1 is always valid.

Cisco routers provide the flexibility to configure multiple keys valid for different periods of time. This adds to the security of the rip updates.

Changing Validity of key in RIP

To change the validity of keys in RIP, we need to specifiy the start time of key validity and the end time or duration.

R2(config)#key chain sandesh
R2(config-keychain)#key 1
R2(config-keychain-key)#send-lifetime hh:mm:ss <1-31> MONTH <1993-2035> hh:mm:ss 
                                             <1-31> MONTH <1993-2035>  ### start time and end time

Instead of end time we can specify the duration in seconds as well

R2(config)#key chain sandesh
R2(config-keychain)#key 1
R2(config-keychain-key)#send-lifetime hh:mm:ss <1-31> MONTH <1993-2035> duration
                                                <1-2147483646> 

The other option is infinite which means that the key is valid as long as the key is there.

R2(config)#key chain sandesh
R2(config-keychain)#key 1
R2(config-keychain-key)#send-lifetime hh:mm:ss <1-31> MONTH <1993-2035> infinite

With this flexibility provided by cisco routers, we can have multiple keys for a pair of directly connected interfaces each valid at different period of time.

No comments:

Post a Comment