Routing Protocol Authentication

One of the ways that routers update their routing tables is by route updates they receive from other routers via routing protocols. Routing protocols are vulnerable to spoofing of route updates. A mechanism for receiving reliable routing information from a trusted source router should be put in place to avoid getting bad updates by "rogue" or misconfigured routers. It is quite possible to have a rogue router provide bad routes to your router, which could cause the failure of your network. One way to combat this problem is to use authentication and encryption for the communication between routers that share routing updates.

When authentication is configured, neighbor authentication occurs whenever routing updates are exchanged between neighbor routers. This authentication ensures that a routing protocol receives reliable routing information from a trusted source.

The authentication process works by requiring a unique key to first verify the source (neighbor router) before a routing update is accepted by a routing protocol. This way "rogue" routers will not be able to participate in the route update process. The process of authentication occurs as follows (in summary):

1. A router sends a routing update with a key to the neighbor router.

2. The receiving (neighbor) router compares the received key against the key stored in its own memory.

3. If the two keys match, the receiving router accepts the routing update packet. If the two keys do not match, the routing update packet is rejected.

MD5 authentication works much like plain-text authentication, except that the key is never sent over the wire. Instead, the router uses the MD5 algorithm to produce a "message digest" of the key (also called a hash ). The message digest is then sent rather than the key itself. This ensures that nobody can eavesdrop on the line and learn keys during transmission. Routing protocols such as Open Shortest Path First (OSPF), Routing Information Protocol (RIP) version 2, Interior Gateway Routing Protocol (IGRP), and Border Gateway Protocol (BGP) use it.

0 0

Post a comment