< Home

Configuring RIP-2 Packet Authentication

Context

Configure RIP-2 packet authentication on a RIP network requiring high security.

RIP-2 can perform simple authentication or MD5 authentication on protocol packets. In simple authentication, the plain text authentication key is used. Therefore, simple authentication has lower security than MD5.

If plain is selected during the configuration of the RIP-2 packet authentication mode, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. (Optional) On an Ethernet interface, run undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.

  4. Configure RIP-2 packet authentication.

    • Run the rip authentication-mode simple { plain plain-text | [ cipher ] password-key } command to set RIP-2 packet authentication to simple authentication.

    • Run the following commands to set RIP-2 packet authentication to MD5 authentication.

      • rip authentication-mode md5 usual { plain plain-text | [ cipher ] password-key }
      • rip authentication-mode md5 nonstandard { keychain keychain-name | { plain plain-text | [ cipher ] password-key } key-id }

      Simple authentication and MD5 authentication have potential risks. HMAC-SHA256 ciphertext authentication is recommended.

      If MD5 authentication is used, you must set the packet format for MD5 authentication. If the usual keyword is specified, MD5 ciphertext authentication packets use the universal format (private standard). If the nonstandard keyword is specified, MD5 ciphertext authentication packets use the non-standard format (IETF standard).

      Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the keychain keychain-name parameter.

    • Run the rip authentication-mode hmac-sha256 { plain plain-text | [ cipher ] password-key } key-id command to set RIP-2 packet authentication to HMAC-SHA256 authentication.

Parent Topic: Configuring RIP-2
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >