10.1.6 RIP-2

<Structure of this section>

(1) RIP-2 functions

RIP-2 sets the subnet masks of advertised routes in the routing information, allowing variable-length subnets to be handled without any of the advertising limitations imposed by RIP-1. The functionality unique to RIP-2 is described below.

(a) Route tag

In the Switch, route tags are written to routing tables if set in the routing information reported in a response message. The route tag of the corresponding entry in the routing table is set as the route tag in the routing information in the response message sent by the Switch. The setting range is 1 to 65535 (decimal).

(b) Subnet Mask

In the Switch, subnet mask information is written to the routing tables if set in the routing information reported in a response message. If no subnet mask information is set, the routing information in a response message is handled in the same manner as routing information received in RIP-1.

The subnet mask of the corresponding entry in the routing table is set as the subnet mask in the routing information in the response message sent by the Switch.

(c) Next hop

In the Switch, next-hop information is written to the routing tables if set in the routing information reported in a response message. If no next-hop information is set, the originating gateway is regarded as the next hop.

When the next hop in the reported routing information is on the same network as the destination gateway, the next hop of the corresponding entry in the routing table is set as the next hop in the routing information in the response message sent by the Switch. If the next hop is not on the same network, the source interface address is set.

(d) Using multicast addresses

The Switch supports multicasting to reduce the unnecessary load on hosts that do not receive RIP-2 messages. The multicast address used for transmitting RIP-2 messages is 224.0.0.9.

(e) Authentication function

In RIP, authentication can be used during message exchange between routers to verify that the router that sent a message is in the same management domain. By using authentication between neighboring routers, you can protect routers in the same authentication and management domain from attacks related to routing control that are triggered by sending invalid routing information.

Plain-text password authentication and cryptographic authentication can be used as authentication methods. The Switch supports Keyed-MD5 as the authentication algorithm for cryptographic authentication.

Using a configuration command, you can set an authentication method and authentication key on a per-interface basis. If you do not specify any settings, authentication will not be performed.

Authentication procedure for plaintext password authentication

In plain-text password authentication, the authentication key set by a configuration command is embedded as the password in the sent message. If more than one authentication key has been set by a configuration command, the message is replicated for each authentication key and is sent multiple times.

When a message is received, authentication is considered successful if the password in the message matches one of the set authentication keys. If authentication fails, the message is discarded.

Authentication procedure for cryptographic authentication

In cryptographic authentication, messages can be authenticated by comparing message digests. The following figure shows the data flow.

Figure 10-13: Encryption authentication data flow

When a message is sent, it is accompanied by a message digest, which is generated from the authentication key and the message itself based on an authentication algorithm (Keyed-MD5). If more than one authentication key has been set by a configuration command, the message is replicated for each authentication key and is sent multiple times.

When a message is received, it is authenticated by using the authentication key that has the same key identifier as the key identifier contained in the message. A message digest is generated from this authentication key in the same manner as when a message is sent. If the generated message digest matches the received message digest, authentication is considered successful. If authentication fails, the message is discarded.

Procedure for changing the authentication key

In a RIP-2 network, normally each router uses one authentication key. When you change an authentication key, however, the router will temporarily have multiple authentication keys.

To change an authentication key:

Enable both the old and new authentication keys at each router that uses authentication. In the Switch, all keys that have been set by a configuration command will be enabled.
Delete or disable the old authentication key at each router in the network that uses authentication.

Notes on using cryptographic authentication

To prevent replay attacks, a sequence number is appended to messages that use cryptographic authentication. Each sequence number must be larger than the previously sent number. In the Switch, the elapsed time in seconds from 1970/1/1 0:00 is set as the sequence number.

Sequence numbers are incremented so that authentication will not fail at any neighboring devices even if the current system time has been turned back by the set clock operation command. However, when the switch is restarted, because the sequence numbers cannot be adjusted, the next message might be sent with a smaller sequence number than the message sent before the restart. In this case, authentication will fail at the next router in the path. The risk of authentication failure at a neighboring router is particularly high if the switch is restarted after a major backward adjustment of the system clock while cryptographic authentication is in use.

If authentication fails continuously, change the authentication keys at all routers in the network.

(2) Difference from RFC

With some exceptions, RIP-2 as implemented in the Switch complies with RFC 2453 and RFC 4822. The following table describes the differences with the RFC.

Table 10-12: Difference from RFC
RFC		Switch
RFC 2453	If a RIP-2 router receives a RIP-1 request, it should respond with a RIP-1 response. If the router is configured to send only RIP-2 messages, it should not respond to a RIP-1 request.	The Switch sends only RIP-2 responses via a RIP-2 interface. Therefore, no response is sent to a RIP-1 request.
RFC 2453	Routers should implement a receive control switch that determines whether to accept RIP-1 only, RIP-2 only, both, or none. These options should be configurable on a per-interface basis.	The Switch can control reception of RIP messages on a per-interface basis, but cannot implement reception control that distinguishes between RIP-1 and RIP-2.
RFC 4822	The set of authentication configuration parameters including the authentication key and key identifier should have a key lifetime and other configuration parameters associated with it.	The Switch does not support key lifetime settings.
RFC 4822	The Keyed-MD5 authentication algorithm and the HMAC-SHA1 authentication algorithm must be implemented by all conforming implementations.	The Switch supports only the Keyed-MD5 authentication algorithm.

(3) Considerations when designing a multihomed network

Note the following when using RIP-2 in an interface that has secondary addresses.

RIP-2 forwards packets using multicasting. As packets for which multicasting is specified are delivered to all routers belonging to the primary or secondary network, those routers that do not need to receive the RIP packets are burdened with an unnecessary load.