Securing Routing Protocols

Prerequisite – Routing Information Protocol (RIP), EIGRP fundamentals, OSPF protocol fundamentals
Routing is a process in which a layer 3 device (either router or layer 3 switch) finds a best path between the source and destination network. Dynamic routing protocols are used to decrease administrator overhead, i.e., administrator have to configure less but by default all the routing information is visible to all interested parties as it is not encrypted therefore open to an attack.

We can secure the routing protocols like RIP, EIGRP and OSPF by putting an authentication to it through creating a key chain and apply it to the interface on which we are advertising the routes. Here, we will not talk about protocol instead we will put authentication on RIP, EIGRP and OSPF.

1. Routing Information Protocol (RIP) –
RIP is a distance vector routing protocol which uses the port number 520 and has Administrative Distance 120.It is an application layer protocol and has 3 versions from which only version supports authentication.



Configuration –

There are 3 routers having named router1 (ip address-192.168.1.1 on ethernet0/0), router2 (ip address-192.168.1.2 on ethernet0/0 and 192.168.2.1 on ethernet0/1), router3 (ip address-192.168.2.2 on ethernet0/0). The router1 will not able to ping router3 as it has no route to 192.168.2.0 network. For this we will perform RIP routing on all the routers and then put authentication on them.

First configuring router1 for RIP:

router1(config)#router rip
router1(config-router)#network 192.168.1.0
router1(config-router)#no auto-summary
router1(config-router)#version 2

Now, configuring RIP for router2:

router2(config)#router rip
router2(config-router)#network 192.168.1.0
router2(config-router)#network 192.168.2.0
router2(config-router)#no auto-summary
router2(config-router)#version 2

Now, configuring RIP for router3:

router3(config)#router rip
router3(config-router)#network 192.168.2.0
router3(config-router)#no auto-summary 
router3(config-router)#version 2

Here, we have enable version 2 of RIP as it support authentication. Now, able to Ping router3 (192.168.2.2) from router1(192.168.1.1), put Authentication on all routers one by one. First, make a key chain and apply it to the interface:

router1(config)#key chain cisco
router1(config-keychain)#key 1
router1(config-keychain-key)#key-string cisco1
router1(config-keychain-key)#exit
router1(config-keychain)#exit
router1(config)#int ethernet0/0
router1(config-if)#ip rip authentication mode md5
router1(config-if)#ip rip authentication key-chain cisco

Here, we have create a key chain named cisco having key I’d 1 and key-string cisco1 and apply it to the interface ethernet0/0 (at which we have advertise RIP).
Now creating same key chain on router2:

router2(config)#key chain cisco
router2(config-keychain)#key 1
router2(config-keychain-key)#key-string cisco1
router2(config-keychain-key)#exit
router2(config-keychain)#exit
router2(config)#int ethernet0/0
router2(config-if)#ip rip authentication mode md5
router2(config-if)#ip rip authentication key-chain cisco

Note – The configuration of key chain, its I’d and key-string should be same on both the routers.

2. Enhanced Interior Gateway Routing Protocol –
EIGRP is an advanced distance routing protocol which uses protocol number 88 and has Administrative Distance 90.It is a network layer protocol which supports clear text and md5 authentication.


Configuration –

Taking same topology, there are 3 routers having named router1 (ip address-192.168.1.1 on ethernet0/0), router2 (ip address-192.168.1.2 on ethernet0/0 and 192.168.2.1 on ethernet0/1), router3 (ip address-192.168.2.2 on ethernet0/0). Here also, the router1 will not able to ping router3 as it has no route to 192.168.2.0 network. For this we will perform EIGRP routing on all the routers and then put authentication on them.

Configuring EIGRP on router 1:

router1(config)#router eigrp 100
router1(config-router)#network 192.168.1.0
router1(config-router)#no auto-summary

Here, Autonomous System Number 100 is used.
Configuring EIGRP on router2:

router2(config)#router EIGRP 100
router2(config-router)#network 192.168.1.0
router2(config-router)#network 192.168.2.0
router2(config-router)#no auto-summary

Configuring EIGRP on router3:

router3(config)#router eigrp 100
router3(config-router)#network 192.168.2.0
router3(config-router)#no auto-summary

Now, putting authentication on routers using eigrp.

router1(config)#key chain cisco
router1(config-keychain)#key 1
router1(config-keychain-key)#key-string cisco1
router1(config-keychain-key)#exit
router1(config-keychain)#exit
router1(config)#int ethernet0/0
router1(config-if)#ip authentication mode eigrp 100 md5
router1(config-if)#ip authentication key-chain eigrp 100 cisco

Configuring same on router2:

router2(config)#key chain cisco
router2(config-keychain)#key 1
router2(config-keychain-key)#key-string cisco1
router2(config-keychain-key)#exit
router2(config-keychain)#exit
router2(config)#int ethernet0/0
router2(config-if)#ip authentication mode eigrp 100 md5
router2(config-if)#ip authentication key-chain eigrp 100 cisco

Note – The configuration of key chain, its I’d and key-string should be same on both the routers.

3. Open Shortest Path First (OSPF) –
OSPF is a link-state routing protocol which uses protocol number 89 and Administrative Distance 110.It is a network layer protocol which supports clear text and md5 authentication.


Configuration –

Taking same topology, there are 3 routers having named router1 (ip address-192.168.1.1 on ethernet0/0), router2 (ip address-192.168.1.2 on ethernet0/0 and 192.168.2.1 on ethernet0/1), router3 (ip address-192.168.2.2 on ethernet0/0). For this we will perform OSPF routing on all the routers and then put authentication on them.
Configuring OSPF on router1:

router1(config)#router ospf 1
router1(config-router)#network 192.168.1.0 0.0.0.255 area 0

Configuring OSPF on router2:

router2(config)#router ospf 1
router2(config-router)#network 192.168.1.0 0.0.0.255 area 0
router2(config-router)#network 192.168.2.0 0.0.0.255 area 0

Configuring ospf on router3:

router3(config)#router OSPF 1
router2(config-router)#network 192.168.2.0 0.0.0.255 area 0

configuring Authentication on router1:

router1(config)#key chain cisco
router1(config-keychain)#key 1
router1(config-keychain-key)#key-string cisco1
router1(config-keychain-key)#exit
router1(config-keychain)#exit
router1(config)#int ethernet0/0
router1(config-if)#ip ospf Authentication message-digest
router1(config-if)#ip ospf authentication-key cisco1

Configuring Authentication on router2:

router2(config)#key chain cisco
router2(config-keychain)#key 1
router2(config-keychain-key)#key-string cisco1
router2(config-keychain-key)#exit
router2(config-keychain)#exit
router2(config)#int ethernet0/0
router2(config-if)#ip ospf authentication message-digest
router2(config-if)#ip ospf authentication-key cisco1

Note –

  • The configuration of key chain, its I’d and key-string should be same on both the routers.
  • Md5 is susceptible to brute-force attack therefore it is advised to use passwords containing numbers or special characters and should be long.


My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.