RIP security

Like in other dynamic systems, the advantage of dynamic routing is that the routes are learnt automatically by routers, so the configuration tasks are limited for the network administrator, but the counterpart is that there are risks. Security problems could lead to a DoS. For instance a hacked router could announce falsified routing data that could be automatically propagated in the whole network. As RIP is an IGP, i.e. an internal protocol, other security measures could prevent this risk. However, to limit these security problems, security features have been implemented.

In this context, the advantage of RIP v2 compared to RIP v1 is that the former allows to authenticate routing information when they are transmitted between routers. Only authenticated data are allowed to be used by routers.

RIP authentication

RIP security is based on authentication with a shared secret that can be transmitted to a broadcast area. RIP v2 supports the two authentication methods: plain-text authentication and MD5 authentication. The authentication is interface specific (scope). It means that different authentications can be defined according to the RIP interfaces. For both authentication methods (plain text or MD5), an interface specific shared secret has to be defined. The authentication keys are shared and must be the same between neighbors.

Note

This feature is supported in RIP v2 only. Plain text authentication is the default setting in every RIP v2 packet. Encrypted authentication is based on the MD5 algorithm. In this mode of authentication, the routing update carries a 128-bit message that includes the password encrypted by the MD5 algorithm. The transmitted routing information remains in clear text.

Except to limit error configurations consequences where a clear text password may be enough, MD5 authentication is obviously advised for security reasons.

Filtering RIP routes

Filtering is a complementary feature used to provide a better security to RIP protocol. The concept is based on a list that contains the addresses and or prefixes allowed to be advertised or learnt amongst routing information.

  1. Specify the access-list:

routing
  ipv4-access-list INTERNAL permit 192.168.0.0/16
  ipv4-access-list INTERNAL deny 192.168.0.0/16
..
  1. Configure the distribute-list for each interface:

vrf main
  routing rip
    distribute-list eth0_0 out access-list INTERNAL
    distribute-list eth2_0 out access-list INTERNAL