RFC 2082 (rfc2082) - Page 3 of 12


RIP-2 MD5 Authentication



Alternative Format: Original Text Document



RFC 2082                RIP-2 MD5 Authentication            January 1997


   mechanism is), it provides a greatly enhanced probability that a
   system being attacked will detect and ignore hostile messages.  This
   is because we transmit the output of an authentication algorithm
   (e.g., Keyed MD5) rather than the secret RIP-2 Authentication Key.
   This output is a one-way function of a message and a secret RIP-2
   Authentication Key.  This RIP-2 Authentication Key is never sent over
   the network in the clear, thus providing protection against the
   passive attacks now commonplace in the Internet.

   In this way, protection is afforded against forgery or message
   modification.  It is possible to replay a message until the sequence
   number changes, but the sequence number makes replay in the long term
   less of an issue.  The mechanism does not afford confidentiality,
   since messages stay in the clear; however, the mechanism is also
   exportable from most countries, which test a privacy algorithm would
   fail.

   Other relevant rationales for the approach are that Keyed MD5 is
   being used for OSPF cryptographic authentication, and is therefore
   present in routers already, as is some form of password management.
   A similar approach has been standardized for use in IP-layer
   authentication. [7]

3.  Implementation Approach

   Implementation requires three issues to be addressed:

   (1)  A changed packet format,

   (2)  Authentication procedures, and

   (3)  Management controls.

3.1.  RIP-2 PDU Format

   The basic RIP-2 message format provides for an 8 byte header with an
   array of 20 byte records as its data content.  When Keyed MD5 is
   used, the same header and content are used, except that the 16 byte
   "authentication key" field is reused to describe a "Keyed Message
   Digest" trailer.  This consists in five fields:

   (1)  The "Authentication Type" is Keyed Message Digest Algorithm,
        indicated by the value 3 (1 and 2 indicate "IP Route" and
        "Password", respectively).

   (2)  A 16 bit offset from the RIP-2 header to the MD5 digest (if no
        other trailer fields are ever defined, this value equals the
        RIP-2 Data Length).



Baker & Atkinson            Standards Track