< Home

RIP/RIPng

Overview

Network security is extremely important as network technologies continue to develop rapidly. It is especially important to protect routing protocol packets, as attackers may illegally obtain, change, or forge them and initiate packet attacks that may cause network interruptions.

  • From the perspective of protocol security mechanisms, RIP/RIPng provides the following security hardening policies at the protocol layer:

    • TTL/Hop limit mechanism: The scope of RIP/RIPng packet transmission is always one hop from the originator. RIP/RIPng sets the TTL/hop limit to 1 for the RIP/RIPng packets to be transmitted on broadcast or multicast networks.

    • Authentication: RIPv2 provides a packet authentication mechanism, which checks the authentication type and password in packets to protect devices against potential attacks.

    • Route limit: RIP/RIPng limits the maximum number of routes that can be added to the RIP/RIPng database to prevent the device from consuming excessive memory resources, which would otherwise cause the device to restart.

  • RIP/RIPng uses routing security policies to prevent attacks using a large number of error packets.

  • From the system perspective, the system supports CPCAR configuration on each interface. CPCAR defines the bandwidth used to receive packets from unidentified sources.

Common attack methods are as follows:

  • DoS attacks: Such attacks not only waste bandwidth and CPU resources, but also reduce system performance. They may result in packet loss and adversely affect network stability because valid packets cannot be processed in time. To prevent processing of packets from unknown sources, you can configure a whitelist for RIP/RIPng. RIP/RIPng then creates a whitelist label for each known interface so that these interfaces can exchange packets rapidly. If interfaces that send RIP/RIPng packets are not in the whitelist, these interfaces are allocated only limited default bandwidth. This is necessary to ensure quick convergence on the network.

  • Injection of a large amount of routing information: RIP/RIPng can run on various types of devices, and the number of RIP/RIPng routes that a device can process depends on its CPU and memory resources. If a device receives more routes than it supports, the device will operate abnormally due to excessively high CPU and memory usage. To prevent this problem, you can run the maximum-routes max-number command to change the maximum number of routes that RIP/RIPng accepts.

  • Injection of incorrect routing information: The routing information carried in attack packets may be invalid or incorrect. If RIP/RIPng uses such routing information, the database used for route calculation may be inaccurate, causing network failures. If authentication is configured on RIP interfaces at both ends of a link, RIP accepts only authenticated packets. This prevents a device from accepting routes from unauthenticated sources.

  • Replay attacks: In a replay attack, an attacker re-sends a valid packet received by the destination host in order to spoof the source host. RIP identifies sequence numbers in packets to prevent replay attacks.

Impact on the System

None

Procedure

  1. Enter the system view.

    system-view

  2. Enter the interface view.

    interface interface-type interface-number

  3. Configure any of the following authentication modes for the RIP interface:

    • Configure simple authentication.

      rip authentication-mode simple { plain plain-text | [ cipher ] password-key }
      plain indicates the cleartext mode. cipher indicates the ciphertext mode.

      For security purposes, you are advised to use the ciphertext mode and periodically change the password. Cleartext mode poses security risks, because it stores the password as cleartext in configuration scripts.

    • Configure MD5 authentication.

      rip authentication-mode md5 { nonstandard { { plain plain-text | [ cipher ] password-key } key-id | keychain keychain-name } | usual { plain plain-text | [ cipher ] password-key } }
      • For security purposes, you are advised to use HMAC-SHA256 authentication rather than simple or MD5 authentication.
      • The MD5 type must be specified if MD5 authentication is configured. The usual type supports private standard authentication packets, and the nonstandard type supports IETF standard authentication packets.

    • Configure HMAC-SHA256 authentication.

      rip authentication-mode hmac-sha256 { plain plain-text | [ cipher ] password-key } key-id

Checking the Security Hardening Result

  • Run the display rip process-id interface [ interface-type interface-number ] [ verbose ] command to check information about RIP interfaces.
  • Run the display rip process-id command to check the operating status and configurations of the current RIP process.
Parent Topic: Routing Protocol Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic