Network Security Notes: Network Protocols: Configuring OSPF Authentication Protocol

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

As my previous post about the Understanding OSPF Protocol and the OSPF Protocol on CISCO Routing Protocol and Concepts, you may already know much details about the OSPF Protocol. And here this post I would like to introduce you about Configuring OSPF Authentication Protocol...

Open Shortest Path First (OSPF) supports two forms of authentication: plain text and MD5. Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication. To configure plain text authentication of OSPF packets, follow these steps:

In interface configuration mode, use the ip ospf authentication−key [key] command. The key that is specified is the plain text password that will be used for authentication.

1. Enter OSPF configuration mode using the router ospf [process id] command. Then use the area [area−id] authentication command to configure plain text authentication of OSPF packets for an area.

Referring to Figure Image below, we will configure Router A and Router B for plain text authentication of OSPF packets. Listing A and Listing B below display each router's configuration.

Figure Image:

Figure: Router A and Router B Configured for OSPF Authentication

Listing A: Router A configured to authenticate OSPF packets using plain text authentication

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf authentication−key visaadmin
clockrate 64000
router ospf 60
area 0 authentication
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing B: Router B configured to authenticate OSPF packets using plain text authentication

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf authentication−key visaadmin
router ospf 50
area 0 authentication
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

In Listing A and Listing B, plain text authentication is configured to authenticate updates across area 0. By issuing the show ip ospf command, you can determine if plain text authentication is properly configured for each area. Here is an example of the output for the show ip ospf command:

Router−B#show ip ospf 50
Routing Process "ospf 50" with ID 10.10.13.1
......
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has simple password authentication
SPF algorithm executed 7 times

Configure MD5 authentication of OSPF packets

To configure MD5 authentication of OSPF packets, follow the steps outlined here:

1. From interface configuration mode, enable the authentication of OSPF packets using MD5 with the following command:

ip ospf message−digest−key [key−id] md5 [key]

The value of the key−id allows passwords to be changed without having to disable authentication.

2. Enter OSPF configuration mode using the router ospf [process id] command. Then
configure MD5 authentication of OSPF packets for an area using this command:

area [area−id] authentication message−digest

This time, Routers A and B will be configured to authenticate packets across the backbone using the MD5 version of authentication. Listing C shows the configuration for Router A, and Listing D shows Router B's configuration.

Listing C: Router A configured for MD5 authentication

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 visa
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing D: Router B configured for MD5 authentication

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 visa
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

When you use the ip ospf message−digest−key command, the key value allows the password to be changed without having to disable authentication.

Note For OSPF, authentication passwords do not have to be the same throughout the area, but the key id value and the password must be the same between neighbors.

Using the show ip ospf [process−id] command again, you can see that it now states that MD5 authentication is being used across area 0:

Router−A#sh ip ospf 60
Routing Process "ospf 60" with ID 10.10.11.1
......
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has message digest authentication
SPF algorithm executed 4 times

As noted earlier, the key id value and the passwords must be the same between neighbors. If you change the key id value to a number other than 15 on Router A, authentication should not take place and OSPF should get mad. Here is the changed configuration:

interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 30 md5 visa
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Notice that it has been changed to a value of 30. The following lines show what OSPF has to say
about this:

Router−A#debug ip ospf events
OSPF events debugging is on
Router−A#
00:03:58: OSPF: Send with youngest Key 30
00:04:04: OSPF: Rcv pkt from 192.168.10.2, Ethernet0/0 :
Mismatch Authentication Key − No message digest key 15 on Interface

OSPF is obviously not happy. If you change the key value back, everything should again be all right.

As mentioned earlier, the key id value allows passwords to be changed without having to disable authentication. Listing E and Listing F display the configuration of Router A and Router B with multiple keys and passwords configured.

Listing E: Router A configured with multiple keys and passwords

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 visa
ip ospf message−digest−key 20 md5 littleboy
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing F: Router B configured with multiple keys and passwords

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 visa
ip ospf message−digest−key 20 md5 littleboy
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

As a result of this configuration, Routers A and B will send duplicate copies of each OSPF packet out of their serial interfaces; one will be authenticated using key number 15, and the other will be authenticated using key number 20. After the routers each receive from each other OSPF packets authenticated with key 20, they will stop sending packets with the key number 15 and use only key number 20. At this point, you can delete key number 15, thus allowing you to change passwords without disabling authentication.


Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Read more...

If you like this post, please subscribe below,thanks!

Enter your email address:

Delivered by FeedBurner

Network Security Notes: Network Protocols: Configuring EIGRP Authentication Protocol

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

As my previous post about Understanding EIGRP protocol, this post I would like to share you about configuring EIGRP Authentication....

EIGRP Authentication between Router A and Router B

EIGRP authentication of packets has been supported since IOS version 11.3. EIGRP route authentication is similar to RIP version 2, but EIGRP authentication supports only the MD5 version of packet encryption.

EIGRP's authentication support may at first seem limited, but plain text authentication should be configured only when neighboring routers do not support MD5. Because EIGRP is a proprietary routing protocol developed by Cisco, it can be spoken only between two Cisco devices, so the issue of another neighboring router not supporting the MD5 cryptographic checksum of packets should never arise.

The steps for configuring authentication of EIGRP updates are similar to the steps for configuring RIP version 2 authentication:

1. Define the key chain using the command key−chain < name> in global configuration mode. This command transfers you to the key chain configuration mode.

2. Specify the key number with the key command in key chain configuration mode. You can configure multiple keys.

3. For each key, identify the key string with the key−string command.

4. Optionally, you can configure the period for which the key can be sent and received. Use the
following commands:

accept−lifetime {infinite|end−time|duration −seconds}
send−lifetime {infinite|end−time|duration seconds}


5. Exit key chain configuration mode with the exit command.

6. Under interface configuration mode, enable the authentication of EIGRP updates with this
command:

ip authentication key−chain eigrp

7. Enable MD5 authentication of EIGRP updates using the following command:

ip authentication mode eigrp md5

With the command below shows you how Router A should be configured to authenticate updates from Router B using EIGRP MD5 authentication,

Command Listing A: Router A's configuration with MD5 authentication:

key chain router−a
key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−a
clockrate 64000
!
router eigrp 2
network 10.0.0.0
network 192.168.10.0
no auto−summary
eigrp log−neighbor−changes

And the next below command here shows the configuration for Router B.

Command Listing B: Router B's configuration with MD5 authentication:

key chain router−b
key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−b
clockrate 64000
!
router eigrp 2
network 10.0.0.0
network 192.168.10.0
no auto−summary
eigrp log−neighbor−changes

The Command Listing A configures Router A with a key chain value of router−a, a key value of 1, and a key−string value of eigrp. The Command Listing B configures Router B with a key chain value of router−b, a key value of 1, and a key−string value of eigrp. Notice again that the key chain need not match between routers; however, the key number and the key string associated with the key value must match between routers configured to use that key value. Although debugging of encrypted EIGRP packets is somewhat limited, a few commands can be used to verify that packet encryption is taking place correctly. Two of those commands are debug eigrp packet and show ip route. The debug eigrp packet command informs you if the router has received a packet with the correct key value and key string. The output of issuing this command can be seen here:

Router−A#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK)
Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: received packet with MD5 authentication

Router A is receiving MD5−authenticated packets from it neighbor, Router B. However, we cannot fully determine whether or not the authentication is taking place correctly without issuing the show ip route command on Router A. This allows us to look at the route table and determine that packet authentication is taking place correctly because the routes that Router B has sent to Router A are installed into the route table. Listing 1.7 displays the output of the show ip route command.

Listing Command C: Route table of Router A with correct authentication configured:

Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0
C 10.10.10.0 is directly connected, Loopback0

C 10.10.11.0 is directly connected, Ethernet0/0
D 10.10.12.0 [90/409600] via 192.168.10.2, 00:18:36, Serial0/0
D 10.10.13.0 [90/409600] via 192.168.10.2, 00:18:36, Serial0/0
Router−A#

You can change Router A's key−string value for key 1 to see what kind of an effect this will have.
The following lines will change the key−string value for key 1 on Router A to ospf:

Router−A#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router−A(config)#key chain router−a
Router−A(config−keychain)#key 1
Router−A(config−keychain−key)#key−string ospf
Router−A(config−keychain−key)#end
Router−A#

Now that Router A has a different key string associated with key 1, you would assume that packet authentication is not taking place correctly. By issuing the debug eigrp packet command, you can see that there is indeed a problem with authentication:

Router−A#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK)
Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: ignored packet from 192.168.10.2 opcode = 5 (invalid
authentication)

Taking a quick look at the route table confirms that the authentication is incorrectly configured. Now that the key strings are different, no routes from Router B are installed into the route table of Router A. Listing Command C: displays the routing table of Router A.
Listing Command C:: Route table of Router A with incorrect authentication configured.

Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.10.0 is directly connected, Loopback0
C 10.10.11.0 is directly connected, Loopback1
Router−A#

NOTE: You can also issue the show ip eigrp neighbor command to determine if authentication is configured correctly. If authentication is correctly configured, the neighboring router will be displayed in the output of the command. If authentication is incorrectly configured, the neighbor will not be displayed in the output.



Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Read more...

If you like this post, please subscribe below,thanks!

Enter your email address:

Delivered by FeedBurner

Network Technology: Network Security: How to Configuring RIP Authentication

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

As my previous post about RIP Protocol, here this post I want to show you how to configure RIP Authentication...

Generally, There are two versions of Routing Information Protocol (RIP): version 1 and version 2. RIP version 1 does not support authentication of routing updates; however, RIP version 2 supports both plain text and MD5 authentication.

The Picture Figure below shows two routers, Router A and Router B, that exchange
RIP version 2 MD5 authentication updates.

Router A and Router B configured for RIP authentication

Configuring authentication of RIP version 2 updates is fairly easy and very uniform. The basic configuration includes the following steps:

1. Define the key chain using the command key−chain <> in global configuration mode. This command transfers you to the key chain configuration mode.

2. Specify the key number with the key <> command in key chain configuration mode.You can configure multiple keys.

3. For each key, identify the key string with the key−string <> command.

4. Configure the period for which the key can be sent and received. Use the following
commands:

accept−lifetime {infinite|end−time|duration −
seconds}
send−lifetime {infinite|end−time|duration seconds}

5. Exit key chain configuration mode with the exit command.

6. Under interface configuration mode, enable the authentication of RIP updates with this command:

ip rip authentication key−chain

This command is all that is needed to use plain text authentication.

7. Optionally, under interface configuration mode, enable MD5 authentication of RIP updates using the ip rip authentication mode md5 command.

The listings that follow show how Router A and Router B in Figure 1.3 should be configured to authenticate updates from one another using RIP MD5 authentication. Listing 1.1 shows the configuration of Router A, and Listing 1.2 shows the configuration of Router B.

Listing 1.1: Router A's configuration with MD5 authentication:

key chain systems
key 1
key−string router
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip rip authentication mode md5
ip rip authentication key−chain systems
clockrate 64000
!
router rip
version 2
network 10.0.0.0
network 192.168.10.0
no auto−summary

Listing 1.2: Router B's configuration with MD5 authentication:

key chain cisco
key 1
key−string router
!
interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip rip authentication mode md5
ip rip authentication key−chain cisco
!
router rip
version 2
network 10.0.0.0
network 192.168.10.0
no auto−summary

The configuration in Listing 1.1 displays Router A's MD5 configuration. Router A is configured with a key chain value of systems, a key value of 1, and a key−string value of router. Listing 1.2 displays Router B's MD5 configuration. Router B is configured with a key chain value of cisco, a key value of 1, and a key−string value of router.

Note Notice that the key−chain command of each router can have a different value; however, the key−string command must match for each key that is configured on each neighbor.

You can use the command debug ip rip to examine how RIP receives the encrypted routing updates. Entering this command on Router A and Router B displays the output shown in Listing 1.3 and Listing 1.4, respectively.


Listing 1.3: The output of the command debug ip rip displays how Router A receives RIP routing
updates from Router B:

Router−A#debug ip rip
RIP protocol debugging is on
Router−A#
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.10.2 on Serial0/0
10.10.12.0/24 −> 0.0.0.0 in 1 hops
10.10.13.0/24 −> 0.0.0.0 in 1 hops

Listing 1.4: The output of the command debug ip rip displays how Router B receives RIP routing
updates from Router A:

Router−B#debug ip rip
RIP protocol debugging is on
Router−B#
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.10.1 on Serial0/0
10.10.10.0/24 via 0.0.0.0 in 1 hops
10.10.11.0/24 via 0.0.0.0 in 1 hops



Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

Read more...

If you like this post, please subscribe below,thanks!

Enter your email address:

Delivered by FeedBurner

Network Technology: Network Security: Learning About RIP (Routing Information Protocol)

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

The Routing Information Protocol (RIP) is a dynamic routing protocol used in local and wide area networks. As such it is classified as an interior gateway protocol (IGP). It uses the distance-vector routing algorithm. It was first defined in RFC 1058 (1988). The protocol has since been extended several times, resulting in RIP Version 2 (RFC 2453). Both versions are still in use today, however, they are considered to have been made technically obsolete by more advanced techniques such as Open Shortest Path First (OSPF) and the OSI protocol IS-IS. RIP has also been adapted for use in IPv6 networks, a standard known as RIPng (RIP next generation), published in RFC 2080 (1997).

The routing algorithm used in RIP, the Bellman-Ford algorithm, was first deployed in a computer network in 1967, as the initial routing algorithm of the ARPANET.

The earliest version of the specific protocol that became RIP was the Gateway Information Protocol, part of the PARC Universal Packet internetworking protocol suite, developed at Xerox Parc. A later version, named the Routing Information Protocol, was part of Xerox Network Systems.

A version of RIP which supported the Internet Protocol (IP) was later included in the Berkeley Software Distribution (BSD) of the Unix operating system. It was known as the routed daemon. Various other vendors would create their own implementations of the routing protocol. Eventually, RFC 1058 unified the various implementations under a single standard.

RIP is a distance-vector routing protocol, which employs the hop count as a routing metric. The hold down time is 180 seconds. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and used to deprecate inaccessible, inoperable, or otherwise undesirable routes in the selection process.

RIP implements the split horizon, route poisoning and holddown mechanisms to prevent incorrect routing information from being propagated. These are some of the stability features of RIP. It is also possible to use the so called RIP-MTI (Minimal Topology Information) algorithm to cope with the count to infinity problem. With its help, it is possible to detect every possible loop with a very small computation effort.

Originally each RIP router transmitted full updates every 30 seconds. In the early deployments, routing tables were small enough that the traffic was not significant. As networks grew in size, however, it became evident there could be a massive traffic burst every 30 seconds, even if the routers had been initialized at random times. It was thought, as a result of random initialization, the routing updates would spread out in time, but this was not true in practice. Sally Floyd and Van Jacobson showed in 1994 that, without slight randomization of the update timer, the timers synchronized over time. In most current networking environments, RIP is not the preferred choice for routing as its time to converge and scalability are poor compared to EIGRP, OSPF, or IS-IS (the latter two being link-state routing protocols), and (without RIP-MTI) a hop limit severely limits the size of network it can be used in. However, it is easy to configure, because RIP does not require any parameters on a router unlike other protocols.

RIP is implemented on top of the User Datagram Protocol as its transport protocol. It is assigned the reserved port number 520.

RIP Versions:

There are three versions of the Routing Information Protocol: RIPv1, RIPv2, and RIPng.

RIP version 1

The original specification of RIP, defined in RFC 1058, uses classful routing. The periodic routing updates do not carry subnet information, lacking support for variable length subnet masks (VLSM). This limitation makes it impossible to have different-sized subnets inside of the same network class. In other words, all subnets in a network class must have the same size. There is also no support for router authentication, making RIP vulnerable to various attacks.The RIP version 1 works when there is only 16 hop counts(0-15).If there are more than 16 hops between two routers it fails to send data packets to the destination address.

RIP version 2

Due to the deficiencies of the original RIP specification, RIP version 2 (RIPv2) was developed in 1993 and last standardized in 1998. It included the ability to carry subnet information, thus supporting Classless Inter-Domain Routing (CIDR). To maintain backward compatibility, the hop count limit of 15 remained. RIPv2 has facilities to fully interoperate with the earlier specification if all Must Be Zero protocol fields in the RIPv1 messages are properly specified. In addition, a compatibility switch feature allows fine-grained interoperability adjustments.

In an effort to avoid unnecessary load on hosts that do not participate in routing, RIPv2 multicasts the entire routing table to all adjacent routers at the address 224.0.0.9, as opposed to RIPv1 which uses broadcast. Unicast addressing is still allowed for special applications.

(MD5) authentication for RIP was introduced in 1997.

RIPv2 is Internet Standard STD-56.

Route tags were also added in RIP version 2. This functionality allows for routes to be distinguished from internal routes to external redistributed routes from EGP protocols.

RIPng

RIPng (RIP next generation), defined in RFC 2080,[8] is an extension of RIPv2 for support of IPv6, the next generation Internet Protocol. The main differences between RIPv2 and RIPng are:

* Support of IPv6 networking.
* While RIPv2 supports RIPv1 updates authentication, RIPng does not. IPv6 routers were, at the time, supposed to use IPsec for authentication.
* RIPv2 allows attaching arbitrary tags to routes, RIPng does not;
* RIPv2 encodes the next-hop into each route entries, RIPng requires specific encoding of the next hop for a set of route entries.xxx

...

Read more...

If you like this post, please subscribe below,thanks!

Enter your email address:

Delivered by FeedBurner

Understanding about Route Filtering to securing network

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

As my previous post about Routing Protocol Authentication, today post, I would like to find out about Route Filtering to securing network. 

What is Route Filtering?

Route Filtering is the process by Router, in which the certain routes are not considered for inclusion in the local route database, or not advertised to one's neighbours. During configuring Router, the Network Administrator need to be aware of which type of network route should be allowed to enter the Network Local or to go out to the remote Network. 

There are two Types of Filtering:

1.Input filtering

Input filtering is a filter is applied to routes as they are learned from a neighbour. A route that has been filtered out is discarded straight away, and hence not considered for inclusion into the local routing database.

2.Output filtering

Output filtering, a filter is applied to routes before they are announced to a neighbour. A route that has been filtered out is never learned by a neighbour, and hence not considered for inclusion in the remote route database.

Why Route Filtering? 

1.Route filtering enables the network administrator to keep tight control over route advertisements.

2.Route filters ensure that routers will advertise as well as accept legitimate networks. They work by regulating the flow of routes that are entered into or advertised out of the routing table.

3.Filtering the networks that are advertised out of a routing process or accepted into the routing process helps to increase security because, if no route is advertised to a downstream or upstream neighbor, then no route apparently exists to the network. 

4.Using Route Filtering to prevent routers on a local network from learning about routes that are dynamically advertised out on the interface, you can define the interface as passive. Defining an interface as passive keeps routing update messages from being sent through a router interface, preventing other systems on the interface from learning about routes dynamically from this router. You can configure a passive interface for all IP routing protocols except Border Gateway Protocol (BGP).

Read more...

If you like this post, please subscribe below,thanks!

Enter your email address:

Delivered by FeedBurner

Routing Protocol Authentication

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

What is Routing Protocol? 

A routing protocol is a protocol that specifies how routers communicate with each other, disseminating information that enables them to select routes between any two nodes on a computer network, the choice of the route being done by routing algorithms. Each router has a prior knowledge only of networks attached to it directly. A routing protocol shares this information first among immediate neighbors, and then throughout the network. This way, routers gain knowledge of the topology of the network.

The term routing protocol may refer specifically to one operating at layer three of the OSI model, which similarly disseminates topology information between routers.

Many routing protocols used in the public Internet are defined in documents called RFCs.

There are two major types of routing protocols, some with variants: link-state routing protocols and (path vector protocols) distance-vector routing protocols.

The specific characteristics of routing protocols include:

-the manner in which they either prevent routing loops from forming or break them up if they do

-the manner in which they select preferred routes, using information about hop costs

-the time they take to converge

-how well they scale up

-many other factors

Routing protocol authentication?

Routing protocol authentication prevents the introduction of false or unauthorized routing messages from unapproved sources. With authentication configured, the router will authenticate the source of each routing protocol packet that it receives from its neighbors. Routers exchange an authentication key or a password that is configured on each router. The key or password must match between neighbors.

There are two types of routing protocol authentication: plain text authentication and Message Digest 5 (MD5) authentication. 

1.Plain text authentication is generally not recommended because the authentication key is sent across the network in clear text, making plain text authentication susceptible to eavesdropping attempts. 

2.MD5 authentication creates a hash value from the key; the hash value instead of the actual password is exchanged between neighbors, preventing the password from being read because the hash, not the password, is transmitted across the network.

Read more...

If you like this post, please subscribe below,thanks!

Enter your email address:

Delivered by FeedBurner

Configuring Password Encryption

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

All Cisco console and Telnet passwords configured on the router are stored in plain text within the configuration of the router by default, thus making them easily readable. If someone issues the show running−config privileged mode command, the password is displayed. Another instance when the password can easily be read is if you store your configurations on a TFTP server, the intruder only needs to gain access into the TFTP machine, after which the intruder can read the
configuration with a simple text editor. Password encryption stores passwords in an encrypted manner on the router. The encryption is applied to all configured passwords on the router.

Read more...

If you like this post, please subscribe below,thanks!

Enter your email address:

Delivered by FeedBurner