9. [Optional] Configure RIPv2 Authentication

In this optional section you’re going to authenticate your dynamic routing advertisements using RIPv2 MD5 authentication. This will help prevent attackers from subverting your routing infrastructure by easily advertising bogus information, which could be make it easy to launch attacks such as man-in-the-middle (MitM) and denial-of-service (DoS).

The original version of RIP didn’t support authentication (or variable-length subnet masks, known as VLSM, which we also think of as class-less addressing), and so should never be used.

RIPv2 supports at least two forms of authentication. The first is a plain-text password, so is only useful for protecting against accidental misconfiguration, not deliberate attacks. You should instead use the MD5 form of authentication. To allow keys to be changed, a number of different passwords can be entered simultaneously, identified by an index. We’re just going to use a single password, so our index will be 1 (the lowest index allowable).

RIPv2 Authentication is enabled on a per-interface basis, so on R1 we shall need to enable authentication on two interfaces: eth1.10 and eth1.20, as those are the interface which are connected to other RIP routers. The configuration command is set interfaces ethernet eth1 vif 10 ip rip authentication md5 1 password OurSharedSecret. The shared secret has to be the same on each link, but does not need to be the same throughout the RIP routing domain. When you have made the configuration change to all the routers, ensure that it is all working. Use run show ip rip status to inspect the status of the RIP agents. Refer to the Vyatta RIP Reference for further commands.