Configuring an Authentication Mode for RIP-2 Packets

RIP-2 supports authentication for protocol packets. By default, authentication is not configured for RIP. Configuring authentication is recommended to ensure system security.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number
The interface view is displayed.
Perform the following operations as required:
- Run rip authentication-mode simple { plain plain-text | [ cipher ] password-key }
  
  Simple authentication is configured for RIP-2 packets.
  
  In simple authentication mode, the password in simple text mode is transmitted along with each authentication packet. Therefore, simple authentication is not recommended on networks requiring high security.
- Run rip authentication-mode md5 { nonstandard { { plain plain-text | [ cipher ] password-key } key-id | keychain keychain-name } | usual { plain plain-text | [ cipher ] password-key } }
  
  Message Digest 5 (MD5) authentication is configured for RIP-2 packets.
  
  In MD5 authentication mode, the MD5 password is used for packet encapsulation and decapsulation. MD5 authentication is more secure than simple authentication.
  
  For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 algorithm is recommended.
  
  nonstandard supports nonstandard authentication packets.
  
  usual supports Internet Engineering Task Force (IETF) standard authentication packets.
- Run rip authentication-mode hmac-sha256 { plain plain-text | [ cipher ] password-key } key-id
  
  Hash Message Authentication Code for Secure Hash Algorithm 256 (HMAC-SHA256) authentication is configured for RIP-2 packets.
When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.
Run commit
The configuration is committed.

Result

The following section describes the changes in RIP neighbor relationships and data traffic volumes during the upgrade from RIP-1 to RIP-2 with authentication.

Scenario 1: Figure 1 shows a P2P topology, and an upgrade from RIP-1 to RIP-2 with authentication is performed on Device A and Device B that use the default configuration.

Figure 1 RIP neighbor relationship over a P2P link

With the default configuration, packet sending and receiving on one end of the P2P link are the same as those on the other end.

Interface 1 on Device A: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and Version 2 broadcast and multicast

Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and Version 2 broadcast and multicast

Step 1: Configure authentication on interface 1 of Device A.
```
Interface 1 on Device A: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and Version 2 broadcast and multicast with authentication

Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and Version 2 broadcast and multicast
```
Authentication applies to RIP-2 packets, not to RIP-1 packets; however, the packets exchanged between Device A and Device B are RIP-1 packets. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Step 2: Configure the same authentication mode on interface 2 of Device B.

Interface 1 on Device A: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and Version 2 broadcast and multicast with authentication

Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and Version 2 broadcast and multicast with authentication

Authentication applies to RIP-2 packets, not to RIP-1 packets; however, the packets exchanged between Device A and Device B are still RIP-1 packets. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Step 3: Configure RIP-2 in broadcast mode on interface 1 of Device A.
```
Interface 1 on Device A: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication 
Receive: Version 1 and Version 2 broadcast and multicast with authentication

Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and Version 2 broadcast and multicast with authentication
```
Device A broadcasts RIP-2 packets with authentication to Device B. Because the same authentication mode is configured on Device B, Device B accepts these packets. Device B sends RIP-1 packets without authentication to Device A. Although RIP-2 in broadcast mode with authentication is configured on Device A, Device A also accepts RIP-1 packets.

Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.
Step 4: Configure RIP-2 in broadcast mode on interface 2 of Device B.
```
Interface 1 on Device A: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication 
Receive: Version 1 and Version 2 broadcast and multicast with authentication

Interface 2 on Device B: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication  
Receive: Version 1 and Version 2 broadcast and multicast with authentication
```
Device A and Device B broadcast RIP-2 packets with authentication. Because the same authentication mode is configured on Device A and Device B, they accept the broadcast RIP-2 packets with authentication. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.
Step 5: Configure RIP-2 on interface 1 of Device A.
```
Interface 1 on Device A: (RIP-2 in broadcast mode)
Send: Version 2 multicast with authentication 
Receive: Version 2 broadcast and multicast with authentication

Interface 2 on Device B:
Send: Version 2 broadcast with authentication 
Receive: Version 1 and Version 2 broadcast and multicast with authentication
```
Device A and Device B multicast RIP-2 packets with authentication. Because authentication is configured on Device B, Device B accepts the packets from Device A. Device B broadcasts RIP-2 packets with authentication to Device A, and Device A accepts these packets. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.
Step 6: Configure RIP-2 on interface 2 of Device B.
```
Interface 1 on Device A: (RIP-2)
Send: Version 2 multicast with authentication
Receive: Version 2 broadcast and multicast with authentication

Interface 2 on Device B: (RIP-2)
Send: Version 2 multicast with authentication
Receive: Version 2 broadcast and multicast with authentication
```
Device A and Device B multicast RIP-2 packets with authentication. Because the same authentication mode is configured on Device A and Device B, they accept the multicast RIP-2 packets with authentication from each other. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Scenario 2: Figure 2 shows a broadcast topology, and an upgrade from RIP-1 (or RIP-1-compatible version) to RIP-2 is performed on devices.

Figure 2 RIP neighbor relationship over a broadcast link

Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast 

Interface 1 on Device A: (RIP-1)
Send: Version 1
Receive: Version 1

Interface 3 on Device C: (RIP-1)
Send: Version 1
Receive: Version 1

All devices in the networking use interface-level RIP configuration.

Step 1: Configure authentication on Device A.

Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast 

Interface 1 on Device A: (RIP-1)
Send: Version 1
Receive: Version 1

Interface 3 on Device C: (RIP-1)
Send: Version 1
Receive: Version 1

Authentication applies to RIP-2 packets, not to RIP-1 packets. Therefore, the authentication on a RIP-1 interface does not affect RIP-1 packets.

Step 2: Configure authentication on Device C.

Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast 

Interface 1 on Device A: (RIP-1)
Send: Version 1
Receive: Version 1

Interface 3 on Device C: (RIP-1)
Send: Version 1
Receive: Version 1

Authentication applies to RIP-2 packets, not to RIP-1 packets. Therefore, the authentication on a RIP-1 interface does not affect RIP-1 packets.

Step 3: Configure authentication on Device B.
```
Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 1 on Device A: (RIP-1)
Send: Version 1
Receive: Version 1

Interface 3 on Device C: (RIP-1)
Send: Version 1
Receive: Version 1
```
Authentication applies to RIP-2 packets, not to RIP-1 packets. Therefore, the authentication on an interface that runs RIP of the default version (RIP-1) does not affect RIP-1 packets. If RIP-2 packets are received, they are accepted only after they are authenticated. No RIP-2 packets are sent in this scenario. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Step 4: Run the undo rip version command on Device A.

Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 1 on Device A: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 3 on Device C: (RIP-1)
Send: Version 1
Receive: Version 1

If the undo rip version 1 command is run on the interface of Device B, the interface uses RIP of the default version (RIP-1) or RIP-1-compatible version. All the devices exchange RIP-1 packets in this scenario. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Step 5: Run the undo rip version command on Device C.

Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 1 on Device A: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 3 on Device C: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast with authentication

If the undo rip version 1 command is run on the interface of Device C, the interface uses RIP of the default version (RIP-1) or RIP-1-compatible version. All the devices exchange RIP-1 packets in this scenario. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Step 6: Configure RIP-2 in broadcast mode on Device A.

Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 1 on Device A: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication  
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 3 on Device C: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast with authentication

If the rip version 2 broadcast command is run on the interface of Device A, the interface broadcasts RIP-2 packets with authentication. Because authentication is configured on other interfaces, all these interfaces accept the RIP-2 packets from Device A and respond with RIP-1 packets. Device A accepts these RIP-1 packets. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Step 7: Configure RIP-2 in broadcast mode on Device C.

Interface 2 on Device B: (Default version or RIP-1-compatible version)
Send: Version 1
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 1 on Device A: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication  
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 3 on Device C: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication  
Receive: Version 1 and version 2 broadcast and multicast with authentication

If the rip version 2 broadcast command is run on the interface of Device C, the interface broadcasts RIP-2 packets with authentication. Because authentication is configured on other interfaces, all these interfaces accept the RIP-2 packets from Device C. Device B still broadcasts RIP-1 packets. Upon receipt of these packets, Device A and Device C accept them. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Step 8: Configure RIP-2 in broadcast mode on Device B.

Interface 2 on Device B: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication  
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 1 on Device A: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication  
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 3 on Device C: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication  
Receive: Version 1 and version 2 broadcast and multicast with authentication

If the rip version 2 broadcast command is run on the interface of Device B, the interface broadcasts RIP-2 packets with authentication. Because authentication is configured on other interfaces, all these interfaces accept the RIP-2 packets from Device B and also broadcast RIP-2 packets with authentication. All the interfaces accept packets from each other. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Step 9: Configure RIP-2 on Device A.

Interface 2 on Device B: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication  
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 1 on Device A: (RIP-2)
Send: Version 2 multicast with authentication
Receive: Version 2 broadcast and multicast with authentication

Interface 3 on Device C: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication  
Receive: Version 1 and version 2 broadcast and multicast with authentication

If the rip version 2 command is run on the interface of Device A, the interface multicasts RIP-2 packets with authentication. Because authentication is configured on other interfaces, all these interfaces accept the RIP-2 packets from Device A and broadcast RIP-2 packets with authentication. All the interfaces accept packets from each other. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Step 10: Configure RIP-2 on Device C.
```
Interface 2 on Device B: (RIP-2 in broadcast mode)
Send: Version 2 broadcast with authentication  
Receive: Version 1 and version 2 broadcast and multicast with authentication

Interface 1 on Device A: (RIP-2)
Send: Version 2 multicast with authentication
Receive: Version 2 broadcast and multicast with authentication

Interface 3 on Device C: (RIP-2)
Send: Version 2 multicast with authentication 
Receive: Version 2 broadcast and multicast with authentication
```
If the rip version 2 command is run on the interface of Device C, the interface multicasts RIP-2 packets with authentication. Because authentication is configured on other interfaces, all these interfaces accept the RIP-2 packets from Device C. Device B broadcasts RIP-2 packets with authentication, and Device A multicasts RIP-2 packets with authentication. All the interfaces accept packets from each other. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.
Step 11: Configure RIP-2 on Device B.
```
Interface 2 on Device B: (RIP-2)
Send: Version 2 multicast with authentication
Receive: Version 2 broadcast and multicast with authentication

Interface 1 on Device A: (RIP-2)
Send: Version 2 multicast with authentication
Receive: Version 2 broadcast and multicast with authentication

Interface 3 on Device C: (RIP-2)
Send: Version 2 multicast with authentication 
Receive: Version 2 broadcast and multicast with authentication
```
If the rip version 2 command is run on the interface of Device B, the interface multicasts RIP-2 packets with authentication. Because authentication is configured on other interfaces, all these interfaces accept the RIP-2 packets from Device B and multicast RIP-2 packets with authentication. All the interfaces accept packets from each other. Therefore, the RIP neighbor relationships and data traffic volumes remain unchanged after this step is performed.

Scenario 3: RIP-2 or RIP-2 in broadcast mode is enabled on all devices.

In this scenario, if RIP authentication is configured on all devices, packets may be discarded in the following cases because authentication configuration synchronization cannot be ensured during authentication:

RIP packets with authentication information are received by interfaces without authentication configuration.
RIP packets without authentication information are received by interfaces with authentication configuration.

After all the configurations are performed, RIP packets are authenticated and accepted by all interfaces with authentication configuration. When the default timer is used, RIP considers a route invalid only if it does not receive any Update packet within six update intervals. Therefore, if all the configurations are completed within the six update intervals, no traffic is interrupted.