RFC 2082 (rfc2082) - Page 3 of 12
RIP-2 MD5 Authentication
Alternative Format: Original Text Document
RFC 2082 RIP-2 MD5 Authentication January 1997
mechanism is), it provides a greatly enhanced probability that a
system being attacked will detect and ignore hostile messages. This
is because we transmit the output of an authentication algorithm
(e.g., Keyed MD5) rather than the secret RIP-2 Authentication Key.
This output is a one-way function of a message and a secret RIP-2
Authentication Key. This RIP-2 Authentication Key is never sent over
the network in the clear, thus providing protection against the
passive attacks now commonplace in the Internet.
In this way, protection is afforded against forgery or message
modification. It is possible to replay a message until the sequence
number changes, but the sequence number makes replay in the long term
less of an issue. The mechanism does not afford confidentiality,
since messages stay in the clear; however, the mechanism is also
exportable from most countries, which test a privacy algorithm would
fail.
Other relevant rationales for the approach are that Keyed MD5 is
being used for OSPF cryptographic authentication, and is therefore
present in routers already, as is some form of password management.
A similar approach has been standardized for use in IP-layer
authentication. [7]
3. Implementation Approach
Implementation requires three issues to be addressed:
(1) A changed packet format,
(2) Authentication procedures, and
(3) Management controls.
3.1. RIP-2 PDU Format
The basic RIP-2 message format provides for an 8 byte header with an
array of 20 byte records as its data content. When Keyed MD5 is
used, the same header and content are used, except that the 16 byte
"authentication key" field is reused to describe a "Keyed Message
Digest" trailer. This consists in five fields:
(1) The "Authentication Type" is Keyed Message Digest Algorithm,
indicated by the value 3 (1 and 2 indicate "IP Route" and
"Password", respectively).
(2) A 16 bit offset from the RIP-2 header to the MD5 digest (if no
other trailer fields are ever defined, this value equals the
RIP-2 Data Length).
Baker & Atkinson Standards Track