In this optional section you’re going to authenticate your dynamic routing advertisements using RIPv2 MD5 authentication. This will help prevent attackers from subverting your routing infrastructure by easily advertising bogus information, which could be make it easy to launch attacks such as man-in-the-middle (MitM) and denial-of-service (DoS).
The original version of RIP didn’t support authentication (or variable-length subnet masks, known as VLSM, which we also think of as class-less addressing), and so should never be used.
RIPv2 supports at least two forms of authentication. The first is a plain-text password, so is only useful for protecting against accidental misconfiguration, not deliberate attacks. You should instead use the MD5 form of authentication. To allow keys to be changed, a number of different passwords can be entered simultaneously, identified by an index. We’re just going to use a single password, so our index will be 1 (the lowest index allowable).
RIPv2 Authentication is enabled on a per-interface basis, so
on R1 we shall need to enable authentication on two interfaces:
eth1.10 and eth1.20, as those are the interface which are
connected to other RIP routers. The configuration command is
ethernet eth1 vif
10 ip rip authentication md5 1 password
OurSharedSecret. The shared
secret has to be the same on each link, but does not need to be
the same throughout the RIP routing domain. When you have made the
configuration change to all the routers, ensure that it is all
working. Use run show ip rip status to inspect
the status of the RIP agents. Refer to the Vyatta RIP Reference
for further commands.