Ensuring the security of the RIP protocol.
Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data.
Telegram channel: https://t.me/protectioninformation
Telegram Group: https://t.me/informationprotection1
Website: https://legascom.ru
Email: online@legascom.ru
#informationprotection #informationsecurity
First of all, speaking about the security of the RIP protocol, it should be noted that it requires all the same protection measures as described in the section on static routing security. In addition to these measures, you can enhance RIP security by using the following tools:
RIP version 2 authentication;
setting equal routers;
route filters;
neighbors.
I recommend using these products in a complex.
Let's start with RIP authentication. An attacker can send an incorrect route to routers involved in the exchange of route information using the RIP protocol in order to force all traffic to be transmitted through a node controlled by him (the example was given above). To prevent unauthorized RIP routers from changing RIP routes in an environment with RIP protocol version 2, you can configure router interfaces using RIP v2 to perform simple password authentication. RIP ads received with passwords that do not match the specified password will be rejected. Please note that passwords are sent in plain text. Any user with a network listening device, such as a sniffer (similar to the example we used in the section on hubs), can intercept RIP v2 ads and view the passwords contained in them.
Passwords can be transmitted in clear text or in MD5 format. By default, open authentication is used. However, I strongly recommend using MD5 authentication exclusively in industrial networks.
As an example, I'll give you the MD5 authentication setup on Cisco routers.:
Router(config-if)# ip rip authentication key-chain name-of-chain
Router(config-if)# ip rip authentication mode {text | md5}
In this example, you must specify the keychain, the name of the keychain, and the type of authentication: open or MD5. More detailed information on configuring authentication in RIP can be found on the official website of the developer.
Setting equal routers.
On each RIP router, you can specify a list of routers (by IP addresses) from which RIP ads should be received. By default, RIP ads from all sources are accepted. Setting a list of equal RIP routers allows you not to accept RIP ads from unwanted routers.
Route filters.
You can configure route filters on each RIP interface so that only routes that lead to reachable network addresses on the combined network can be added to the routing table. For example, if your organization uses subnets of a local network with the address 10.0.0.0, you can use route filtering so that RIP routers reject all routes except those that connect subnets of the 10.0.0.0 network.
Neighbors.
By default, the RIP protocol distributes its ads using broadcast (RIP version 1 or RIP version 2) or multicast (RIP v2 only). You can limit the exchange of route information only with neighboring routers. However, this method will not work with all router models due to the implementation features.
This is done using the following command:
Router(config-router)# neighbor ip-address
The RIP routing protocol has many disadvantages. First of all, there is a limit of 15 subnets between any two hosts. This disadvantage prevents the use of RIP in large networks. Another disadvantage is the need to forward the entire route table every 30 seconds. This creates an additional burden on the bandwidth of communication channels. This protocol is also ineffective in networks with communication channels with different bandwidth, since RIP does not take this important characteristic of communication channels into account when building routes.
The more common routing protocol today is OSPF, which we will discuss in the next post.
