![]() ![]() |
4.1 | ![]() |
RIP v2 Overview | |
4.1.7 | ![]() |
Authentication |
A security concern with any routing protocol is the possibility of a
router accepting invalid routing updates. The source of invalid
updates may be an attacker trying to maliciously disrupt the
internetwork. The attacker may be trying to capture packets by
tricking the router into sending them to the wrong destination. A more mundane source of
invalid updates may be a malfunctioning router. RIP v2 includes the
capability to authenticate the source of a routing update by including
a password.
Authentication is supported by modifying what would normally be the
first route entry of the RIP message, as shown in Figure
Figure Although RFC 1723 describes only simple password authentication, foresight is shown by including the Authentication Type field. Cisco IOS takes advantage of this feature and provides the option of using MD5 authentication instead of simple password authentication. Cisco uses the first and last route entry spaces for MD5 authentication purposes. MD5 is a one-way message digest or secure hash function, produced by RSA Data Security, Incorporated. It is also referred to as a cryptographic checksum because it works in somewhat the same way as an arithmetic checksum. MD5 computes a 128-bit hash value from a plain text message of arbitrary length and a password. An example would be a RIP v2 update. This fingerprint is transmitted along with the message. The receiver, knowing the same password, calculates its own hash value. If nothing in the message has changed, the receiver hash value should match the sender value transmitted with the message.
|