RIP/RIPng

Attack Behavior

• Injection of bad routing information

  Routing Information Protocol (RIP)/RIP next generation (RIPng) accepts any packet from valid source addresses that match the configured network information. RIP/RIPng packets carry direct route data; therefore, invalid or incorrect routing information may be included in the route data, causing inaccurate routing database calculation and network failures.

• Replay attack

  Attackers intercept RIP packets and send packets to a switch repeatedly, increasing the load on the switch.

Security Policy

To defend against the preceding attacks, configure the following security policies on a switch:

Configuration Method

• Configure RIP authentication.

  Configure HMAC-SHA256 authentication, and set the authentication password to admin@huawei and authentication identifier to 255.

  <HUAWEI> system-view
  [HUAWEI] interface vlanif 100
  [HUAWEI-Vlanif100] rip authentication-mode hmac-sha256 cipher admin@huawei 255

• Modify the CPCAR value of RIP/RIPng packets.

  

  Improper CPCAR settings will affect services. If you need to adjust CPCAR settings, contact technical support personnel.

  Change the rate of sending RIP packets to 64 kbit/s.

  <HUAWEI> system-view
  [HUAWEI] cpu-defend policy 1
  [HUAWEI-cpu-defend-policy-1] car packet-type rip cir 64
  [HUAWEI-cpu-defend-policy-1] quit
  [HUAWEI] cpu-defend-policy 1 global
  [HUAWEI] cpu-defend-policy 1
  

  Change the rate of sending RIPng packets to 64 kbit/s.

  <HUAWEI> system-view
  [HUAWEI] cpu-defend policy 1
  [HUAWEI-cpu-defend-policy-1] car packet-type ripng cir 64
  [HUAWEI-cpu-defend-policy-1] quit
  [HUAWEI] cpu-defend-policy 1 global
  [HUAWEI] cpu-defend-policy 1