Routing Information Protocol (RIP)

Authentication and key-chain

RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable. RIP version 1 has no authentication. For authentication to work both the sending and receiving routers must be set to use authentication, and must be configured with the same keys.

The sending and receiving routers need to have their system dates and times synchronized to ensure both ends are using the same keys at the proper times. However, you can overlap the key lifetimes to ensure that a key is always available even if there is some difference in the system times.

A key chain is a list of one or more authentication keys including the send and receive lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes. The FortiGate unit migrates from one key to the next according to the scheduled send and receive lifetimes.

Key-chain is a CLI router command. You use this command to manage RIP version 2 authentication keys. You can add, edit or delete keys identified by the specified key number.

This example shows how to configure a key-chain with two keys that are valid sequentially in time. This example creates a key-chain called “rip_key” that has a password of “fortinet”. The accepted and send lifetimes are both set to the same values — a start time of 9:00am February 23, 2010 and an end time of 9:00am March 17, 2010. A second key is configured with a password of “my_fortigate” that is valid from March 17, 2010 9:01am to April 1 2010 9:00am. This “rip_key” keychain is then used on the port1 interface in RIP.

config router key-chain edit “rip_key”

config key edit 1

set accept-lifetime 09:00:00 23 02 2010 09:00:00 17 03 2010 set key-string “fortinet”

set send-lifetime 09:00:00 23 02 2010 09:00:00 17 03 2010 next

edit 2

set accept-lifetime 09:01:00 17 03 2010 09:00:00 1 04 2010 set key-string “my_fortigate”

set send-lifetime 09:01:00 17 03 2010 09:00:00 1 04 2010 next

end end

config router rip config interface

edit port1

set auth-keychain “rip_key” end

end

The CLI commands associated with authentication keys include:

 

config router key-chain

 

config router rip config interface

edit <interface>

set auth-keychain set auth-mode

set auth-string end

end

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.