[Contents] [Prev] [Next] [Index] [Report an Error]

Authentication

RIPv1 does not support authentication. If you are sending and receiving RIPv2 packets, you can enable RIP authentication on an interface.

The router provides the simple authentication scheme for RIPv2. Because authentication is a per message function and only one 2-octet field is available in the RIP message header, authentication uses the space of an entire RIP message.

The first 20-byte entry in a RIP authentication message contains an address family identifier value of 0xffff and a route tag value of 2. If the 0xffff address family is present in the RIP message, the remaining 16 octets of the entry contain a plain text password. If the password is fewer than 16 octets, it must be left-justified and padded to the right with nulls (0x00).

Authentication is applied per RIP interface. You can specify either text or MD5 authentication. Text authentication uses a simple password that must be shared by the neighbors receiving updates or requests. If they do not have this password, the neighbors reject all updates or requests from the router. MD5 authentication uses a shared key to encrypt the RIP message. The neighbors must have the MD5 key to decrypt the message and encrypt a response.

Note: Do not use text authentication when security is important, because the router sends the unencrypted password in every RIP packet it sends.

Example 1

The following example shows how to use password authentication:



host1(config)#interface fastEthernet 0/0 

host1(config-if)#ip rip send version 2 

host1(config-if)#ip rip authentication mode
text 

host1(config-if)#ip rip authentication key
ke6G72mV

Example 2

The following example shows how to use MD5 authentication:



host1(config)#interface fastEthernet 0/0 

host1(config-if)#ip rip send version 2 

host1(config-if)#ip rip authentication mode
md5 8 

host1(config-if)#ip rip authentication key
sf43nBScE9

[Contents] [Prev] [Next] [Index] [Report an Error]