Figure 77 The RIPv2 authentication information when configured is carried in the first route entry space

8 ; a

3IIÏ

8 ] 8

Command | Version

Unused (set to all zeros)

c o

OmFFFF

Aul hen! ¡cation Type

o =

Password (Bytes 0

-3}

Password (Bytes 4

-7)

<

Password (Byles 8

11)

Password (Bytes 12

-IS)

Address Family Identifier

Roule Tog

IP Address

Subnel Mask

Next HqP

Meiiric

Multiple fields, up to a maximum of 24

Multiple fields, up to a maximum of 24

NOTE

Simple password authentication for RIPv2 is in plain text.

Figure 7.8 shows an analyzer capture of a RIPv2 message with authentication. The figure also shows a difficulty with the default RIP authentication: The password is transmitted in plain text. Anyone who can capture a packet containing a RIPv2 update message can read the authentication password.

Figure 7.8. When simple password authentication is used, the password is carried in plain text and can be read by anyone who can "sniff" the packet carrying the update.

Figure 7.8. When simple password authentication is used, the password is carried in plain text and can be read by anyone who can "sniff" the packet carrying the update.

NOTE

The Cisco IOS supports MD5 authentication for RIPv2.

Although RFC 1723 describes only simple password authentication, foresight is shown by including the Authentication Type field. Cisco IOS takes advantage of this feature and provides the option of using MD5 authentication instead of simple password authentication.™ Cisco uses the first and last route entry spaces for MD5 authentication purposes.

[8] MD5 is described in RFC 1321. A good discussion of MD5 can also be found in the following book: Charlie Kaufman, Radia Perlman, and Mike Spencer. Network Security: Private Communication in a Public World. Prentice Hall, 1995, pp. 120-122.

MD5 is a one-way message digest or secure hash function, produced by RSA Data Security, Inc. It is also occasionally referred to as a cryptographic checksum because it works in somewhat the same way as an arithmetic checksum. MD5 computes a 128-bit hash value from a plain text message of arbitrary length (a RIPv2 update, for instance) and a password. This "fingerprint" is transmitted along with the message. The receiver, knowing the same password, calculates its own hash value. If nothing in the message has changed, the receiver's hash value should match the sender's value transmitted with the message.

Figure 7.9 shows an update from the same router of Figure 7.8, but with MD5 authentication. The authentication type is three, and no password can be seen. Notice that Cisco is using both the first and the last route entry space for authentication information. Because this usage is not part of the open RIPv2 standard, the analyzer indicates "Authentication out of Place."

Figure 7.9. This update was originated from the same router as the update in Figure 7.8., but MD5

authentication is being used.

Figure 7.9. This update was originated from the same router as the update in Figure 7.8., but MD5

authentication is being used.

0 0

Post a comment