Implement IPv4 RIP version 2 (RIPv2)

Before jumping into RIPv2 we need to go over a few points. How RIPv2 came about and what enhancement have been added to RIPv2 from RIPv1.

RIP Overview

The RIP process operates from UDP port 520; all RIP messages are encapsulated in a UDP (User Datagram Protocol) segment with both the Source and Destination Port fields set to that value. RIP defines two message types: Request messages and Response messages. A Request message is used to ask neighboring routers to send an update. A Response message carries the update. The metric used by RIP is hop count, with 1 signifying a directly connected network of the advertising router and 16 signifying an unreachable network.

On startup, RIP broadcasts a packet carrying a Request message out each RIP-enabled interface every 30 seconds, on average. The RIP process then enters a loop, listening for RIP Request or Response messages from other routers. Neighbors receiving the Request send a Response containing their route table. The Response message, or update, contains the router’s full route table with the exception of entries suppressed by the split horizon rule. The update timer initiating this periodic update includes a random variable to prevent table synchronization. The Response message, or update, contains the router’s full route table with the exception of entries suppressed by the split horizon rule. The update timer initiating this periodic update includes a random variable to prevent table synchronization. The destination address of the update is the all-hosts broadcast 255.255.255.255.

The expiration timer, or timeout timer is used to limit the amount of time a route can stay in a route table without being updated. The Cisco IOS calls it the invalid timer. The expiration timer is initialized to 180 seconds whenever a new route is established and is reset to the initial value whenever an update is heard for that route. If an update for a route is not heard within that 180 seconds (six update periods), the hop count for the route is changed to 16, marking the route as unreachable. Another timer, the garbage collection or flush timer, is set to 240 seconds or 60 seconds longer than the expiration time. The route will be advertised with the unreachable metric until the garbage collection timer expires, at which time the route will be removed from the route table. The holddown  timer is implemented on Cisco devices. An update with a hop count higher than the metric recorded in the route table will cause the route to go into holddown for 180 seconds. If the timing of one router is changed, the timing of all the routers in the RIP domain must be changed.

The timer can be configures under the RIP process with the following;

Router(config-router)#timers basic ?
<1-4294967295>  Interval between updates for RIP

Router(config-router)#timers basic 5 ?
<1-4294967295>  Invalid

Router(config-router)#timers basic 5 3 ?
<0-4294967295>  Holddown

Router(config-router)#timers basic 5 3 100 ?
<1-4294967295>  Flush

R1(config-router)#timers basic 5 3 100 180

RIP employs split horizon with poison reverse and triggered updates. A triggered update occurs whenever the metric for a route is changed and, unlike regularly scheduled updates, might include only the entry or entries that changed. Also unlike regular updates, a triggered update does not cause the receiving router to reset its update timer; if it did, a topology change could cause many routers to reset at the same time and thus cause the periodic updates to become synchronized. To avoid a “storm” of triggered updates after a topology change, another timer is employed. When a triggered update is transmitted, this timer is randomly set between one and five seconds; subsequent triggered updates cannot be sent until the timer expires.

You can also run the following command under the RIP router process that will tell the router not to send out a received triggered update if the next regular update is going to be send out shortly;

Router(config-router)#flash-update-threshold ?

<0-30>  threshold in seconds

RIP Message Format

Each message contains a command and a version number and can contain entries for up to 25 routes. Each route entry includes an address family identifier, the IP address reachable by the route, and the hop count for the route. If a router must send an update with more than 25 entries, multiple RIP messages must be produced.

  • Command: Is set to either a Request Message or Response Message
  • Version: Will be set to one from RIPv1, set to 2 for RIPv2
  • Address Family ID: Is set to 2 for IP. The exception been is a request for a routers full route table.
  • IP Address: The IP address of the destination of the route.
  • Metric: A hop count between 1 and 16.

Classful Routing

When a packet enters a RIP-speaking router and a route table lookup is performed, the various choices in the table are pruned until a single path remains. First, the network portion of the destination address is read and the route table is consulted for a match. It is this first step of reading the major class A, B, or C network number that defines a classful route table lookup. If there is no match for the major network, the packet is dropped and an ICMP Destination Unreachable message is sent to the packet’s source. If there is a match for the network portion, the subnets listed for that network are examined. If a match can be found, the packet is routed.

The defining characteristic of a classful routing protocol is that it does not advertise an address mask along with the advertised destination address. Therefore, a classful routing protocol must first match the major class A, B, or C network portion of a destination address. For every packet passing through the router.

RIPv2

Now after looking over RIPv1 we can see that it has some drawbacks in todays networks. So what RIPv2 can provide that RIPv1 cannot is the following;

  • Subnet masks are carried with each route entry
  • Authentication of routing updates
  • Next-hop addresses are carried with each route entry
  • External route tags
  • Multicast route updates

The most important of these extensions is the addition of a Subnet Mask field to the routing update entries, enabling the use of variable-length subnet masks and qualifying RIPv2 as a classless routing protocol.

RIPv2 multicasts updates to other RIPv2-speaking routers, using the reserved class D address 224.0.0.9. The advantage of multicasting is that devices on the local network that are not concerned with RIP routing do not have to spend time “unwrapping” broadcast packets from the router.

The RIPv2 message format is made up similar to RIPv1 but with the expectation of a couple of fields;

  • Route Tag provides a field for tagging external routes or routes that have been redistributed into the RIPv2 process.
  • Subnet Mask is 32-bit mask that identifies the network and subnet portion of the IPv4 address.
  • Next Hop identifies a better next-hop address, if one exists, than the address of the advertising router.

Compatibility with RIPv1

If the Version field indicates Version 1 but any bits of any unused fields are set to one, the update is discarded. If the version is greater than one, the fields defined as unused in Version 1 are ignored and the message is processed. As a result, newer editions of the protocol, like RIPv2, can be backward-compatible with RIPv1.

Four settings, which allows Versions 1 and 2 to interoperate:

  1. RIP-1, in which only RIPv1 messages are transmitted
  2. RIP-1 Compatibility, which causes RIPv2 to broadcast its messages instead of multicast them so that RIPv1 may receive them
  3. RIP-2, in which RIPv2 messages are multicast to destination address 224.0.0.9
  4. None, in which no updates are sent

These can be configured under the interface with the following command;

Router(config-if)ip rip send version {1,2}

Router(config-if)ip rip receive version {1,2}

Classless Routing Protocols

The true defining characteristic of classless routing protocols is the capability to carry subnet masks in their route advertisements. One benefit of having a mask associated with each route is that the all-zeros and all-ones subnets are now available for use. Classful routing protocols cannot distinguish between an all-zeros subnet (172.16.0.0, for example) and the major network number (172.16.0.0). Likewise, they cannot distinguish between a broadcast on the all-ones subnet (172.16.255. 255) and an all-subnets broadcast (172.16.255.255).

If the subnet masks are included, this difficulty disappears. You can readily see that 172.16.0.0/16 is the major network number and that 172.16.0.0/24 is an all-zeros subnet. 172.168.255.255/16 and 172.16.255.255/24 are just as distinguishable.

By default, the Cisco IOS rejects an attempt to configure an all-zeros subnet as an invalid address/mask combination even if a classless routing protocol is running. To override this default behavior, enter the global command ip subnet-zero.

A much greater benefit of having a subnet mask associated with each route is being able to use variable-length subnet masking (VLSM) and to summarize a group of major network addresses with a single aggregate address.

Router(config)#router rip
Router(config-router)#version 2
Router(config-router)#network 10.0.0.0
Router(config-router)#no auto-summary

Authentication

A security concern with any routing protocol is the possibility of a router accepting invalid routing updates. The source of invalid updates may be an attacker trying to maliciously disrupt the network or trying to capture packets by tricking the router into sending them to the wrong destination. A more mundane source of invalid updates may be a malfunctioning router. RIPv2 includes the capability to authenticate the source of a routing update by including a password.

Authentication is supported by modifying what would normally be the first route entry of the RIP message. With authentication, the maximum number of entries a single update can carry is reduced to 24. The presence of authentication is indicated by setting the Address Family Identifier field to all ones (0xFFFF). The Authentication Type for simple password authentication is two (0x0002), and the remaining 16 octets carry an alphanumeric password of up to 16 characters. The password is left-justified in the field, and if the password is less than 16 octets, the unused bits of the field are set to zero.

Cisco uses the first and last route entry spaces for MD5 authentication purposes.

MD5 is a one-way message digest or secure hash function, produced by RSA Data Security, Inc. It is also occasionally referred to as a cryptographic checksum because it works in somewhat the same way as an arithmetic checksum. MD5 computes a 128-bit hash value from a plain text message of arbitrary length (a RIPv2 update, for instance) and a password. This “fingerprint” is transmitted along with the message. The receiver, knowing the same password, calculates its own hash value. If nothing in the message has changed, the receiver’s hash value should match the sender’s value transmitted with the message.

The Cisco implementation of RIPv2 message authentication includes the choice of simple password or MD5 authentication, and the option of defining multiple keys, or passwords, on a “key chain.” The router may then be configured to use different keys at different times.

A key chain must be configured, even if there is only one key on it. Although any routers that will exchange authenticated updates must have the same password, the name of the key chain has significance only on the local router. When configuring clear text authentication the key numbers do not have to match, but when configuring MD5 authentication the key numbers much match on both side of the authentication to be successful. What can happen if both routers have different key numbers the router with highest key number, R1 = Key 1 R2 = Key 2, will learn the routes from the other router. The router with the lower number will not learn any routes from the other router. So R2 from my example will only learn routes from R1 and R1 will not learn any routes from R2.

Router(config)#key chain AUTH_R2
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string ERICLEAHY.COM

Key management is used to migrate from one authentication key to another. So by defining multiple keys, you can set different times for when one key will begin and end. Then having the next key be used when the first key ends. This will help in keeping you keys integrity at a high level. The only down fall is when running this on multiple routers in your network you will need to keep all keys up to date! Also a key can be defined to never expire by adding the keyword infinite after the start time syntax.

Router(config-keychain-key)#accept-lifetime 17:30:00 May 5 2012 duration 43200
Router(config-keychain-key)#send-lifetime 17:30:00 May 5 2012 23:59:59 Dec 24 2012

After creating the key(s) you now have to befine which interface(s) the keys will be enabled on. MD5 should be used mostly but the key can be sent in clear text if MD5 is not defined.

Router(config-if)#ip rip authentication key-chain AUTH_R2

Router(config-if)#ip rip authentication mode ?
md5   Keyed message digest
text  Clear text authentication

Router(config-if)#ip rip authentication mode md5