Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

RIP Authentication

Understanding RIP Authentication

RIPv2 provides authentication support so that RIP links can require authentication keys (passwords) before they become active. Authentication provides an additional layer of security on the network beyond the other security features. By default, this authentication is disabled.

Authentication keys can be specified in either plain-text or MD5 form. Authentication requires all routers within the RIP network or subnetwork to have the same authentication type and key (password) configured.

This type of authentication is not supported on RIPv1 networks.

MD5 authentication uses an encoded MD5 checksum that is included in the transmitted packet. For MD5 authentication to work, both the receiving and transmitting routing devices must have the same MD5 key. You define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds. Otherwise, updates are rejected. The routing device only accepts RIPv2 packets sent using the same key identifier (ID) that is defined for that interface. Starting in Junos OS Release 20.3R1, we support multiple MD5 authentication keys for RIPv2 for increased security. This supports adding of MD5 keys with their start-time. RIPv2 packets are transmitted with MD5 authentication using the first configured key. RIPv2 authentication switches to the next key based on its configured key start-time. This provides automatic key switching without user intervention to change the MD5 keys as in the case of having only one MD5 key.

Note that the RIPv2 authentication described in this topic is not supported in Junos OS Releases 15.1X49, 15.1X49-D30, or 15.1X49-D40.

Enabling Authentication with Plain-Text Passwords

To configure authentication that requires a plain-text password to be included in the transmitted packet, enable simple authentication by performing these steps on all RIP devices in the network:

  1. Navigate to the top of the configuration hierarchy.
  2. Perform the configuration tasks described in Table 1.
  3. If you are finished configuring the router, commit the configuration.
Table 1: Configuring Simple RIP Authentication

Task

CLI Configuration Editor

Navigate to Rip level in the configuration hierarchy.

From the [edit] hierarchy level, enter

edit protocols rip

Set the authentication type to simple.

Set the authentication type to simple:

set authentication-type simple

Set the authentication key to a simple-text password.

The password can be from 1 through 16 contiguous characters long and can include any ASCII strings.

Set the authentication key to a simple-text password:

set authentication-key password

Example: Configuring Route Authentication for RIP using single MD5 key

This example shows how to configure authentication for a RIP network.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

You can configure the router to authenticate RIP route queries. By default, authentication is disabled. You can use one of the following authentication methods:

  • Simple authentication—Uses a text password that is included in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet.

  • MD5 authentication—Creates an encoded checksum that is included in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet’s MD5 checksum.

This example shows MD5 authentication.

Figure 1 shows the topology used in this example.

Figure 1: RIP Authentication Network TopologyRIP Authentication Network Topology

CLI Quick Configuration shows the configuration for all of the devices in Figure 1. The section #d31e67__d31e236 describes the steps on Device R1.

Topology

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Device R1

Device R2

Device R3

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure RIP authentication:

  1. Configure the network interfaces.

    This example shows multiple loopback interface addresses to simulate attached networks.

  2. Create the RIP group and add the interface.

    To configure RIP in Junos OS, you must configure a group that contains the interfaces on which RIP is enabled. You do not need to enable RIP on the loopback interface.

  3. Create the routing policy to advertise both direct and RIP-learned routes.

  4. Apply the routing policy.

    In Junos OS, you can only apply RIP export policies at the group level.

  5. Require MD5 authentication for RIP route queries received on an interface.

    The passwords must match on neighboring RIP routers. If the password does not match, the packet is rejected. The password can be from 1 through 16 contiguous characters long and can include any ASCII strings.

    Do not enter the password as shown here. The password shown here is the encrypted password that is displayed in the configuration after the actual password is already configured.

  6. Configure tracing operations to track authentication.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols, and show policy-options commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Checking for Authentication Failures

Purpose

Verify that there are no authentication failures.

Action

From operational mode, enter the show rip statistics command.

Meaning

The output shows that there are no authentication failures.

Verifying That MD5 Authentication Is Enabled in RIP Update Packets

Purpose

Use tracing operations to verify that MD5 authentication is enabled in RIP updates.

Action

From operational mode, enter the show log command.

Meaning

The (needs MD5) output shows that all route updates require MD5 authentication.

Example: Configuring Route Authentication for RIP using multiple MD5 keys

This example shows how to configure authentication for a RIP network using multiple MD5 keys and how to configure a transition of MD5 keys on a RIP interface.

Requirements

This example uses the following hardware and software components:.

  • Three ACX Series routers

  • Junos OS Release 20.3 or later

Overview

MD5 authentication uses an encoded MD5 checksum that is included in the transmitted packet. For MD5 authentication to work, both the receiving and transmitting routing devices must have the same MD5 key.

You define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds. Otherwise, updates are rejected. The routing device only accepts RIPv2 packets sent using the same key identifier (ID) that is defined for that interface.

For increased security, you can configure multiple MD5 keys, each with a unique key ID, and set the date and time to switch to a new key. The receiver of the RIPv2 packet uses the ID to determine which key to use for authentication. RIPv2 with multiple MD5 key feature supports adding of MD5 keys with their start-time. RIPv2 packets are transmitted with MD5 authentication using the first configured key. RIPv2 authentication switches to the next key based on its configured respective key start-time. This provides automatic key switching without user intervention to change the MD5 keys as in case of having only one MD5 key.

This example shows RIPv2 mutliple MD5 keys authentication.

Figure 2 shows the topology used in this example.

Figure 2: Network Topology for RIP Authentication using multiple MD5 keys Network Topology for RIP Authentication using multiple MD5 keys

CLI Quick Configuration shows the configuration for all of the devices in Figure 2. The section CLI Quick Configuration describes the steps on Device R1.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Device R1

Device R2

Device R3

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure RIP authentication:

  1. Configure the network interfaces.

    This example shows multiple loopback interface addresses to simulate attached networks.

  2. Create the RIP group and add the interface.

    To configure RIP in Junos OS, you must configure a group that contains the interfaces on which RIP is enabled. You do not need to enable RIP on the loopback interface.

  3. Create the routing policy to advertise both direct and RIP-learned routes.

  4. Apply the routing policy.

    In Junos OS, you can only apply RIP export policies at the group level.

  5. You can configure multiple MD5 keys by using different Key IDs. The key-IDs must match with the key-IDs of the neighboring RIP routers. If a router receives a packet with a key-id that is not within its configured set of keys, then the packet is rejected and is considered as authentication failure.

    The key-ID can be a number from 0 to 255 which uniquely identifies an MD5 key and the key value can be an ASCII string upto 16 characters long.

    Do not enter the password as shown here. The password shown here is the encrypted password that is displayed in the configuration after the actual password is already configured.

    The authentication-selective-md5 can be repeated to configure multiple keys.

  6. If you want to migrate from an existing md5 authentication key, then you can configure another key with a start-time in future with enough leeway so as to allow configuring all the routers on the link. The transition to the new key is based on its start-time and it happens as soon as the clock reaches the start-time. You may delete keys that are no longer valid by entering the following command:.

    Note:

    The start time is relevant for transmission only and not for receiving RIPv2 packets. Acceptance of received packets is based on the keys configured.

    For example, if the time now is February 1, 2020, 1:00 AM and the following key is configured:

    If you want to transition from this key to another key on March 2, at 2:00 AM, and you are able to configure all the routers on the link with the new key at the same time, then you may configure the following key:

    At 2:00 AM, once all the routers switch to the new key, you can safely delete key with id 2 by entering the following command.

  7. Deletion of active key: If you delete the lastest active key, the system checks for the current configuration and uses the key with the latest key-ID within the existing configuration for RIPv2 packet transmission.

    For example, If you have configured the following keys with the key-ids:

    The active key in this configuration is the key with key ID 4 and is used for sending the RIPv2 packet out. If you delete the active key ID 4, then the system checks for current configuration and looks for the key with the latest start-time, that is the key with ID 3 and uses it for packet transmission.

  8. Configure tracing operations to track authentication.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols, and show policy-options commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Checking for Authentication Failures

Purpose

To check for authentication failures counters.

Action

From operational mode, enter the show rip statistics command.

Meaning

The Authentication Failures counter displays the authentication failures count. This output shows that the authentication failure count is 23853.

Checking for the current active MD5 key.

Purpose

To check for the current active key being used.

Action

From operational mode, enter the show rip neighbor fe-1/2/0 command.

Verifying That MD5 Authentication Is Enabled in RIP Update Packets

Purpose

Use tracing operations to verify that MD5 authentication is enabled in RIP updates.

Action

From operational mode, enter the show log command.

Meaning

The (needs MD5) output shows that all route updates require MD5 authentication.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
20.3R1
Starting in Junos OS Release 20.3R1, we support multiple MD5 authentication keys for RIPv2 for increased security
15.1X49
Note that the RIPv2 authentication described in this topic is not supported in Junos OS Releases 15.1X49, 15.1X49-D30, or 15.1X49-D40.