Enabling RIP Authentication
Problem
You want to ensure that all RIP protocol traffic your router accepts comes from devices known to you so that only trusted routers participate in determining how traffic is routed through your network.
Solution
Configure MD5 authentication for RIP:
aviva@RouterA> configure [edit protocols] aviva@RouterA# set rip authentication-type md5 aviva@RouterA# set rip authentication-key 123456 rip { authentication-type md5; authentication-key "1$9$CuWOtBIhSrc8XcS24JGiH"; ## SECRET-DATA group alpha-rip-group { neighbor fe-0/0/0.0; } }
Discussion
It is a good security measure to authenticate all RIP protocol exchanges to ensure that only trusted routers participate in your RIP network and in the exchange of traffic and protocol updates. RIP authentication was added to Version 2 of the protocol standard, so you cannot authenticate RIP Version 1 traffic.
This example shows how to configure RIP to use MD5 authentication. You do this with two statements, one to set the authentication type and another to set the key, or password, that is included in all transmitted RIP packets. MD5 creates an encoded checksum that is included in the transmitted RIP packets. The receiving router verifies this checksum before accepting the packet.
When you display the router's configuration after you have typed the password, the password is displayed in encrypted form. This ensures that someone casually glancing through the configuration does not see the actual password.
You can also configure a simple password for RIP authentication, which includes a plain-text password in the transmitted RIP packets. Plain-text passwords are easy to break by devices that sniff network traffic, so you should never use them when your goal is network security.
For authentication to work across your entire RIP network, you need to configure MD5 authentication and the same password on all your routers in the same way as we show in this recipe. Once you have the encrypted version of the password, you can use it in the authentication-key statement instead of the password itself. This is one way to minimize the number of people who see the actual password.
aviva@RouterB# set rip authentication-key "$9$CuWOtBIhSrc8XcS24JGiH"