Example: Configuring Route Authentication for RIP using multiple MD5 keys
This example shows how to configure authentication for a RIP network using multiple MD5 keys and how to configure a transition of MD5 keys on a RIP interface.
This example uses the following hardware and software components:.
Three ACX Series routers
Junos OS Release 20.3 or later
MD5 authentication uses an encoded MD5 checksum that is included in the transmitted packet. For MD5 authentication to work, both the receiving and transmitting routing devices must have the same MD5 key.
You define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds. Otherwise, updates are rejected. The routing device only accepts RIPv2 packets sent using the same key identifier (ID) that is defined for that interface.
For increased security, you can configure multiple MD5 keys, each with a unique key ID, and set the date and time to switch to a new key. The receiver of the RIPv2 packet uses the ID to determine which key to use for authentication. RIPv2 with multiple MD5 key feature supports adding of MD5 keys with their start-time. RIPv2 packets are transmitted with MD5 authentication using the first configured key. RIPv2 authentication switches to the next key based on its configured respective key start-time. This provides automatic key switching without user intervention to change the MD5 keys as in case of having only one MD5 key.
This example shows RIPv2 mutliple MD5 keys authentication.
Figure 1 shows the topology used in this example.
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the  hierarchy level.
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure RIP authentication:
- Configure the network interfaces.
This example shows multiple loopback interface addresses to simulate attached networks.[edit interfaces]user@R1# set fe-1/2/0 unit 1 family inet address 220.127.116.11/24user@R1# set lo0 unit 1 family inet address 198.51.100.1/24user@R1# set lo0 unit 1 family inet address 192.0.2.1/32
- Create the RIP group and add the interface.
To configure RIP in Junos OS, you must configure a group that contains the interfaces on which RIP is enabled. You do not need to enable RIP on the loopback interface.[edit protocols rip group rip-group]user@R1# set neighbor fe-1/2/0
- Create the routing policy to advertise both direct and
RIP-learned routes.[edit policy-options policy-statement advertise-routes-through-rip term 1]user@R1# set from protocol directuser@R1# set from protocol ripuser@R1# set then accept
- Apply the routing policy.
In Junos OS, you can only apply RIP export policies at the group level.[edit protocols rip group rip-group]user@R1# set export advertise-routes-through-rip
- You can configure multiple MD5 keys by using different
Key IDs. The key-IDs must match with the key-IDs of the neighboring
RIP routers. If a router receives a packet with a key-id that is not
within its configured set of keys, then the packet is rejected and
is considered as authentication failure.
The key-ID can be a number from 0 to 255 which uniquely identifies an MD5 key and the key value can be an ASCII string upto 16 characters long.
Do not enter the password as shown here. The password shown here is the encrypted password that is displayed in the configuration after the actual password is already configured.[edit protocols rip]user@R1# set authentication-selective-md5 key-id key key-value start-time timeuser@R1# set authentication-selective-md5 2 key $ABC123$ABC123 start-time 2020-02-01.01:01
The authentication-selective-md5 can be repeated to configure multiple keys.
- If you want to migrate from an existing md5 authentication
key, then you can configure another key with a start-time in future
with enough leeway so as to allow configuring all the routers on the
link. The transition to the new key is based on its start-time and
it happens as soon as the clock reaches the start-time. You may delete
keys that are no longer valid by entering the following command:.[edit protocols rip]user@host# delete authentication-selective-md5 key-id
The start time is relevant for transmission only and not for receiving RIPv2 packets. Acceptance of received packets is based on the keys configured.
For example, if the time now is February 1, 2020, 1:00 AM and the following key is configured:[edit protocols rip]user@host# set authentication-selective-md5 2 key $ABC123$ABC123 start-time 2020-02-01.01:01
If you want to transition from this key to another key on March 2, at 2:00 AM, and you are able to configure all the routers on the link with the new key at the same time, then you may configure the following key:[edit protocols rip]user@host# set authentication-selective-md5 3 key $MNO123$MNO123 start-time 2020-03-02.02:01
At 2:00 AM, once all the routers switch to the new key, you can safely delete key with id 2 by entering the following command.[edit protocols rip]user@host# delete authentication-selective-md5 2
- Deletion of active key: If you delete the lastest active
key, the system checks for the current configuration and uses the
key with the latest key-ID within the existing configuration for RIPv2
For example, If you have configured the following keys with the key-ids:[edit protocols rip]user@R1# set authentication-selective-md5 2 key $ABC123$ABC123 start-time 2020-02-01.01:01user@R1#set authentication-selective-md5 3 key $MNO123$MNO123 start-time 2020-03-02.02:01user@R1#set authentication-selective-md5 4 key $XYZ123$XYZ123 start-time 2020-04-03.03:01
The active key in this configuration is the key with key ID 4 and is used for sending the RIPv2 packet out. If you delete the active key ID 4, then the system checks for current configuration and looks for the key with the latest start-time, that is the key with ID 3 and uses it for packet transmission.
- Configure tracing operations to track authentication.[edit protocols rip traceoptions]user@R1# set file rip-authentication-messagesuser@R1# set flag authuser@R1# set flag packets
From configuration mode, confirm your configuration by entering the show interfaces, show protocols, and show policy-options commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Confirm that the configuration is working properly.
Checking for Authentication Failures
To check for authentication failures counters.
From operational mode, enter the show rip statistics command.
user@R1> show rip statistics
RIPv2 info: port 520; holddown 120s. rts learned rts held down rqsts dropped resps dropped 5 0 0 0 ge-0/0/5.0: 5 routes learned; 28 routes advertised; timeout 180s; update interval 30s Counter Total Last 5 min Last minute ------- ----------- ----------- ----------- Updates Sent 53058 20 4 Triggered Updates Sent 2 0 0 Responses Sent 0 0 0 Bad Messages 0 0 0 RIPv1 Updates Received 0 0 0 RIPv1 Bad Route Entries 0 0 0 RIPv1 Updates Ignored 0 0 0 RIPv2 Updates Received 26538 10 2 RIPv2 Bad Route Entries 0 0 0 RIPv2 Updates Ignored 0 0 0 Authentication Failures 23853 0 0 RIP Requests Received 0 0 0 RIP Requests Ignored 0 0 0 none 0 0 0
The Authentication Failures counter displays the authentication failures count. This output shows that the authentication failure count is 23853.
Checking for the current active MD5 key.
To check for the current active key being used.
From operational mode, enter the show rip neighbor fe-1/2/0 command.
user@R1> show rip neighbor fe-1/2/0
Local Source Destination Send Receive In Neighbor State Address Address Mode Mode Met -------- ----- ------- ----------- ---- ------- --- fe-1/2/0 Up 18.104.22.168 22.214.171.124 mcast both 1 Auth type: SELECTIVE-MD5, Active key ID: 2, Start time: 1970 Jan 1 05:30:00 IST
Verifying That MD5 Authentication Is Enabled in RIP Update Packets
Use tracing operations to verify that MD5 authentication is enabled in RIP updates.
From operational mode, enter the show log command.
user@R1> show log rip-authentication-messages | match md5
Feb 15 15:45:13.969462 sending msg 0xb9a8c04, 3 rtes (needs MD5) Feb 15 15:45:43.229867 sending msg 0xb9a8c04, 3 rtes (needs MD5) Feb 15 15:46:13.174410 sending msg 0xb9a8c04, 3 rtes (needs MD5) Feb 15 15:46:42.716566 sending msg 0xb9a8c04, 3 rtes (needs MD5) Feb 15 15:47:11.425076 sending msg 0xb9a8c04, 3 rtes (needs MD5) ...
The (needs MD5) output shows that all route updates require MD5 authentication.