Wednesday, December 14, 2011

RIP AUTHENTICATION MD5 AND TEXT LAB

Ok so i am now looking at RIP authentication. RIP supports both clear text & md5
authentication the md5 sends a md5 hash of the password. This just validates that the
update is coming from the correct neighbor it does not encrypt the payload the
payload is still visible by packet sniffers so it is not encryption technology only
for the password for authentication

MD5 digest works by creating a 16-byte hash of the routing message combined with a secret key. The 16-byte value is, therefore, message-specific, and modification of the message by an attacker invalidates the 16-byte digest appended to the message. Without the secret key, which is never sent over the wire by the routing protocol, the attacker is unable to reconstruct a valid message. It is worth noting that the MD5 option provides authentication and packet integrity, not confidentiality.

Below is MD5 encapsulated RIP v2 packet




Configuration wises

It uses the key chain approach
define key chain
key chain "name" in global config
define a key number
key "num"  under key chain config
for md5 the key number MUST match as it using in calculating the hash accross the neighbor technically with clear text it does not
have to
define a password
key-string "password" under key id config
WHITE SPACES COUNT AS CHARACHTERS
once this all configured you go to the rip int
int fa0/1
ip rip authentication mode (md5/text)
ip rip authentication key-chain "name"

So for the lab
----------------
sw2 will just be layer 2 router with no ip routing enabled sw1,r2,sw4 will connect to
sw2 in the vlan 100 so all on the same segment we will firstly run plain text then
look at md5



Ok i have configured them all running rip in vlan 100 10.229.254.0/24 + created loopbacks on each router/switch + adverised in rip
sw1 10.229.254.1 + advertising 1.1.1.1
sw4 10.229.254.2 + adverising 4.4.4.4
r4 10.229.254.3 + advertising 5.5.5.5

we will start on r4

r4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/1] via 10.229.254.1, 00:00:10, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/1] via 10.229.254.2, 00:00:02, FastEthernet0/0
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.229.254.0 is directly connected, FastEthernet0/0
r4#

so it is recieving all expected loopbacks 1 and 4 networks

ok now i will configure authentication firstly define key chain named RIP with key id of 1 and key string (password) of cisco

r4#sh run  | begin key
key chain RIP
 key 1
  key-string cisco
!

now applying to the interface and setting mode to text

r4(config)#int fa0/0
r4(config-if)#ip rip authentication mode text
r4(config-if)#ip rip authentication key-chain RIP
r4(config-if)#

ok after clear ip route i am not recieving any of the rip updates as there is mismatch authentication r4 rip interface is configured but none of the others one are
r4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.229.254.0 is directly connected, FastEthernet0/0

i am ignoring packets from 2 and 1 as of invalid authentication

r4#debug ip rip
RIP protocol debugging is on
r4#
*Dec 14 20:25:19.203: RIP: sending v2 update to 224.0.0.9 via Loopback0 (5.5.5.5)
*Dec 14 20:25:19.203: RIP: build update entries
*Dec 14 20:25:19.203:   10.229.254.0/24 via 0.0.0.0, metric 1, tag 0
*Dec 14 20:25:19.203: RIP: ignored v2 packet from 5.5.5.5 (sourced from one of our addresses)
*Dec 14 20:25:24.835: RIP: ignored v2 packet from 10.229.254.1 (invalid authentication)
*Dec 14 20:25:30.779: RIP: ignored v2 packet from 10.229.254.1 (invalid authentication)
*Dec 14 20:25:33.215: RIP: ignored v2 packet from 10.229.254.2 (invalid authentication)
*Dec 14 20:25:34.351: RIP: ignored v2 packet from 10.229.254.2 (invalid authentication)u all
All possible debugging has been turned off
r4#

I am going change the authentication to md5 and configure on all routers now

so on switch 1
switch1(config)#key chain RIP
switch1(config-keychain)# key 1
switch1(config-keychain-key)#  key-string cisco
switch1(config-keychain-key)#exit
switch1(config-keychain)#exit
switch1(config)#int po2
switch1(config-if)#ip rip authen mode md5
switch1(config-if)#ip rip authen key-chain RIP
switch1(config-if)#
if i do a clear ip route * and sh ip route i should now be rejecting sw4 4.4.4 network but recieving r4 5.5.5.5 network

switch1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     5.0.0.0/32 is subnetted, 1 subnets
R       5.5.5.5 [120/1] via 10.229.254.3, 00:00:11, Port-channel2
     10.0.0.0/24 is subnetted, 1 subnets
C       10.229.254.0 is directly connected, Port-channel2
switch1#
which i am i will now configure same on sw4
switch4(config)#key chain RIP
switch4(config-keychain)# key 1
switch4(config-keychain-key)#  key-string cisco
switch4(config-keychain-key)#exit
switch4(config-keychain)#exit
switch4(config)#int po9
switch4(config-if)#ip rip authent mode md5
switch4(config-if)#ip rip authent key-chain RIP
switch4(config-if)#exit
switch4(config)#exit

i should now have a full routing table on sw4 with loopbacks of sw1 and r4
which i am
switch4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/1] via 10.229.254.1, 00:00:02, Port-channel9
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     5.0.0.0/32 is subnetted, 1 subnets
R       5.5.5.5 [120/1] via 10.229.254.3, 00:00:17, Port-channel9
     10.0.0.0/24 is subnetted, 1 subnets
C       10.229.254.0 is directly connected, Port-channel9
switch4#
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)