Is Using UDP in RIP Secure? – Routing and Security Analysis

riproutingSecurityudp

I know that UDP is a connectionless transport layer protocol. Since it is easy to fake your source IP and source Port in your headers, what keeps anyone from poisoning routing tables via RIP? It seems to me like I can easily flood routers with fake information messages under this circumstance.

Best Answer

Yes, plain RIP can be vulnerable to attacks. RIP was created long before the Internet was commercialized. Today, there are options for secure authentication of RIP updates. For example, RFC 4822, RIPv2 Cryptographic Authentication:

Introduction

Growth in the Internet has made us aware of the need for improved authentication of routing information. RIPv2 provides for unauthenticated service (as in classical RIP), or password authentication. Both are vulnerable to passive attacks currently widespread in the Internet. Well-understood security issues exist in routing protocols [Bell89]. Cleartext passwords, originally specified for use with RIPv2, are widely understood to be vulnerable to easily deployed passive attacks [HA94].

The original RIPv2 cryptographic authentication specification, RFC 2082 [AB97], used the Keyed-MD5 cryptographic mechanism. While there are no openly published attacks on that mechanism, some reports [Dobb96a, Dobb96b] create concern about the ultimate strength of the MD5 cryptographic hash function Further, some end users, particularly several different governments, require the use of the SHA hash function family rather than any other such function for policy reasons. Finally, the original specification uses a hashing construction widely believed to be weaker than the HMAC construction used with the algorithms added in this revision of the specification.

This document obsoletes the original specification, RFC 2082 [AB97]. This specification differs from RFC 2082 by adding support for the SHA family of hash algorithms and the HMAC technique, while retaining the original Keyed-MD5 algorithm and mode. As the original RIPv2 Cryptographic Authentication mechanism was algorithm-independent, backwards compatibility is retained. This requirement for backwards compatibility precludes making significant protocol changes. So, this document limits changes to the addition of support for an additional family of cryptographic algorithms. The original specification has been very widely implemented, is known to be widely interoperable, and is also widely deployed.

The authors do NOT believe that this specification is the final answer to RIPv2 authentication and encourage the reader to consult the Security Considerations section of this document for more details.

If RIPv2 authentication is disabled, then only simple misconfigurations are detected. The original RIPv2 authentication mechanism relied upon reused cleartext passwords. Use of cleartext password authentication can protect against accidental misconfigurations if that were the only concern, but is not helpful from a security perspective. By simply capturing information on the wire -- straightforward even in a remote environment -- a hostile entity can read the cleartext RIPv2 password and use that knowledge to inject false information into the routing system via the RIPv2 routing protocol.

This mechanism is intended to reduce the risk of a successful passive attack upon RIPv2 deployments. That is, deployment of this mechanism greatly reduces the vulnerability of the RIPv2-based routing system from a passive attack. When cryptographic authentication is enabled, we transmit the output of a keyed cryptographic one-way function in the authentication field of the RIPv2 packet, instead of sending a cleartext reusable password in the RIPv2 packet. The RIPv2 Authentication Key is known only to the authorized parties of the RIPv2 session. The RIPv2 Authentication Key is never sent over the network in the clear.

In this way, protection is afforded against forgery or message modification. While it is possible to replay a message until the sequence number changes, a sequence number can be used to reduce replay risks. The mechanism does not provide confidentiality, since messages stay in the clear. Since the objective of a routing protocol is to advertise the routing topology, confidentiality is not normally required for routing protocols.

Other relevant rationales for the approach are that MD5 and SHA-1 are both being used for other purposes and are therefore generally already present in IP routers, as is some form of password management.

Related Solutions

Cisco – RIP routing is broken between two routers

they are assigned by default to 172.16.0.0 in both cases, and it does not work

I modified your ascii art a litte to reduce scrolling... It sounds like you're saying that you can't reach reach N1 from N2...

Broken RIPv1 topology
=====================

N1 ---- (172.16.1.1/24) R1 (172.16.3.1/30) ----- (172.16.3.2/30) R2 ----- (172.16.2.1/24) N2

Classful routing protocol overview

RIPv1 is a classful routing protocol... as such, it doesn't associate netmasks with routes when they are advertised. Classful routing protocols do a couple non-intuitive things...

They only advertise routes out interfaces where the masks match (this is your problem)
They automatically summarize at major network boundaries (see bonus material, below)

Interface netmasks

To make your topology work, your masks will have to match on all RIPv1 interfaces, unless you use a classless routing protocol (such as RIPv2, EIGRP, OSPF, or ISIS). If you need to use RIPv1, then reconfigure your topology such that all interfaces have matching masks, like this...

Functional RIPv1 topology
=========================

N1 ---- (172.16.1.1/24) R1 (172.16.3.1/24) ----- (172.16.3.2/24) R2 ----- (172.16.2.1/24) N2

Bonus material: RIPv1 Auto-summarization Example

Since this also tends to trip people up, I am including an example of RIPv1 auto-summarization dynamics.

When I mention major network boundaries below, I'm talking about the classic definitions for Class A, Class B, and Class C IPv4 networks...

Class A (8-bit netmasks): 1.0.0.0/8 - 127.0.0.0/8
Class B (16-bit netmasks): 128.0.0.0/16 - 191.255.0.0/16
Class C (24-bit netmasks): 192.168.0.0/24 - 223.255.255.0/24

Moving on to the RIPv1 auto-summarization example... I will use matching /24 interface netmasks for simplicity.

Lo0:
192.168.1.0/24
Lo1:
1.1.2.0/24
+----+                  +----+                     +----+
| R1 +------------------+ R2 +---------------------+ R3 |
+----+                  +----+                     +----+
          1.1.1.0/24              172.16.1.0/24

router rip               router rip                 router rip
 version 1                version 1                  version 1
 network 192.168.1.0      network 1.0.0.0            network 172.16.0.0
 network 1.0.0.0          network 172.16.0.0

The routing table on R3 contains:
C     172.16.1.0/24
R     1.0.0.0/8        <--- 1.1.1.0/24 and 1.1.2.0/24 are "hidden" by the 
                            classful summary at R2

R     192.168.1.0/24   <--- 192.168.1.0/24 passes transparently through R2
                            since it's a Class C network itself and is not 
                            summarized at R2

R1 and R2 are connected by subnets of the 1.0.0.0/8 major network, so 1.1.1.0/24 and 1.1.2.0/24 are advertised between R1 and R2; however, the link between R2 and R3 is not in 1.0.0.0/8, therefore R2 performs automatic summarization of subnets of 1.0.0.0/8 and subnets of 172.16.0.0/16.

When subnets of a major network are summarized, they get hidden by the summarized route... This happens at R2 when 1.1.1.0/24 and 1.1.2.0/24 are summarized to 1.0.0.0/8. Cisco routers cannot disable auto-summarization under RIP version 1 (but they can for RIPv2).

Regarding Route Poison in RIP protocol

I did a lab to test the behaviour with the same topology as yours. R1 is announcing three networks:

1.1.1.1/32
2.2.2.2/32
3.3.3.3/32

RIP lab

R1 is sending full updates towards R2. This is the final update before shutting down Lo0 which has the IP 1.1.1.1.

RIP Capture1

R1 then sends a triggered update:

Dec  9 10:22:37.797: %LINK-5-CHANGED: Interface Loopback0, changed state to administratively down
Dec  9 10:22:37.809: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/0 (12.12.12.1)
Dec  9 10:22:37.809: RIP: build flash update entries
Dec  9 10:22:37.809:    1.1.1.1/32 via 0.0.0.0, metric 16, tag 0

R1 is just poisoning that route.

R1 poisons route

R1 also receives the poisoned route back from R2

Dec  9 10:22:39.853: RIP: received v2 update from 12.12.12.2 on FastEthernet0/0
Dec  9 10:22:39.853:      1.1.1.1/32 via 0.0.0.0 in 16 hops  (inaccessible)

R1 sends a full update later at its regular interval (30 seconds).

Dec  9 10:23:01.276: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.12.12.1)
Dec  9 10:23:01.276: RIP: build update entries
Dec  9 10:23:01.276:    1.1.1.1/32 via 0.0.0.0, metric 16, tag 0
Dec  9 10:23:01.280:    2.2.2.2/32 via 0.0.0.0, metric 1, tag 0
Dec  9 10:23:01.280:    3.3.3.3/32 via 0.0.0.0, metric 1, tag 0

Now to see what happens on the other routers.

R3:

Dec  9 10:22:39.857: RIP: received v2 update from 23.23.23.2 on FastEthernet0/0
Dec  9 10:22:39.861:      1.1.1.1/32 via 0.0.0.0 in 16 hops  (inaccessible)

R3 then sends this towards R4 and R2:

Dec  9 10:22:41.861: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/0 (23.23.23.3)
Dec  9 10:22:41.861: RIP: build flash update entries
Dec  9 10:22:41.861:    1.1.1.1/32 via 0.0.0.0, metric 16, tag 0
Dec  9 10:22:41.865: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/1 (34.34.34.3)
Dec  9 10:22:41.865: RIP: build flash update entries
Dec  9 10:22:41.865:    1.1.1.1/32 via 0.0.0.0, metric 16, tag 0

R4:

Dec  9 10:22:41.916: RIP: received v2 update from 34.34.34.3 on FastEthernet0/0
Dec  9 10:22:41.920:      1.1.1.1/32 via 0.0.0.0 in 16 hops  (inaccessible)
Dec  9 10:22:43.908: RIP: received v2 update from 45.45.45.5 on FastEthernet0/1
Dec  9 10:22:43.908:      1.1.1.1/32 via 0.0.0.0 in 16 hops  (inaccessible)

R4 sends it towards R5 and R3.

Dec  9 10:22:43.920: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/0 (34.34.34.4)
Dec  9 10:22:43.920: RIP: build flash update entries
Dec  9 10:22:43.920:    1.1.1.1/32 via 0.0.0.0, metric 16, tag 0
Dec  9 10:22:43.924: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/1 (45.45.45.4)
Dec  9 10:22:43.924: RIP: build flash update entries
Dec  9 10:22:43.924:    1.1.1.1/32 via 0.0.0.0, metric 16, tag 0

R5:

Dec  9 10:22:41.888: RIP: received v2 update from 56.56.56.6 on FastEthernet0/1
Dec  9 10:22:41.888:      1.1.1.1/32 via 0.0.0.0 in 16 hops  (inaccessible)

R5 sends it towards R6 and R4:

Dec  9 10:22:43.891: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/0 (45.45.45.5)
Dec  9 10:22:43.891: RIP: build flash update entries
Dec  9 10:22:43.891:    1.1.1.1/32 via 0.0.0.0, metric 16, tag 0
Dec  9 10:22:43.895: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/1 (56.56.56.5)
Dec  9 10:22:43.895: RIP: build flash update entries
Dec  9 10:22:43.895:    1.1.1.1/32 via 0.0.0.0, metric 16, tag 0

R6:

Dec  9 10:22:39.869: RIP: received v2 update from 26.26.26.2 on FastEthernet0/0
Dec  9 10:22:39.869:      1.1.1.1/32 via 0.0.0.0 in 16 hops  (inaccessible)

R6 sends it towards R2 and R5:

Dec  9 10:22:41.873: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/0 (26.26.26.6)
Dec  9 10:22:41.873: RIP: build flash update entries
Dec  9 10:22:41.873:    1.1.1.1/32 via 0.0.0.0, metric 16, tag 0
Dec  9 10:22:41.877: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/1 (56.56.56.6)
Dec  9 10:22:41.877: RIP: build flash update entries
Dec  9 10:22:41.877:    1.1.1.1/32 via 0.0.0.0, metric 16, tag 0

So as can be seen, the route is poisoned and sent as a flash update. This only contains the poisoned route. Later at the regular interval a full update is sent with the route included and a metric of 16.

What happens if another router sends the 1.1.1.1/32 network with a better metric?

R4 starts advertising the 1.1.1.1/32 network:

R4(config)#int lo0
R4(config-if)#ip add 1.1.1.1 255.255.255.255
R4(config-if)#router rip
R4(config-router)#net 1.0.0.0

Dec  9 10:57:23.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

Dec  9 10:57:32.079: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/0 (34.34.34.4)
Dec  9 10:57:32.079: RIP: build flash update entries
Dec  9 10:57:32.079:    1.1.1.1/32 via 0.0.0.0, metric 1, tag 0
Dec  9 10:57:32.083: RIP: sending v2 flash update to 224.0.0.9 via FastEthernet0/1 (45.45.45.4)
Dec  9 10:57:32.083: RIP: build flash update entries
Dec  9 10:57:32.083:    1.1.1.1/32 via 0.0.0.0, metric 1, tag 0

R5 installs this route:

Dec  9 10:57:16.771: RIP: received v2 update from 56.56.56.6 on FastEthernet0/1
Dec  9 10:57:16.771:      1.1.1.1/32 via 0.0.0.0 in 16 hops  (inaccessible)
Dec  9 10:57:16.775: RT: del 1.1.1.1/32 via 56.56.56.6, rip metric [120/3]
Dec  9 10:57:16.775: RT: delete subnet route to 1.1.1.1/32
Dec  9 10:57:16.775: RT: NET-RED 1.1.1.1/32
Dec  9 10:57:16.779: RT: delete network route to 1.0.0.0
Dec  9 10:57:16.779: RT: NET-RED 1.0.0.0/8
Dec  9 10:57:32.079: RIP: received v2 update from 45.45.45.4 on FastEthernet0/0
Dec  9 10:57:32.083:      1.1.1.1/32 via 0.0.0.0 in 1 hops
Dec  9 10:57:32.083: RT: add 1.1.1.1/32 via 45.45.45.4, rip metric [120/1]
Dec  9 10:57:32.083: RT: NET-RED 1.1.1.1/32

Note that this behavior is dependant on if the route has gone into hold down. To catch a route in hold down there has to be a passive failure.

R2 applies an ACL towards R1 to filter out the RIP updates:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip access-list extended NO-RIP
R2(config-ext-nacl)#deny udp any any eq 520
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#int f0/0
R2(config-if)#ip access-group NO-RIP in

It should take approximately 180 seconds before the route becomes invalid and goes into holddown. This output from R2 is the last one before it becomes invalid:

R2#sh ip route 1.1.1.1
Routing entry for 1.1.1.1/32
  Known via "rip", distance 120, metric 1
  Redistributing via rip
  Last update from 12.12.12.1 on FastEthernet0/0, 00:03:00 ago
  Routing Descriptor Blocks:
  * 12.12.12.1, from 12.12.12.1, 00:03:00 ago, via FastEthernet0/0
      Route metric is 1, traffic share count is 1

Then the holddown timer goes active:

R2#sh ip route 1.1.1.1
Routing entry for 1.1.1.1/32
  Known via "rip", distance 120, metric 4294967295 (inaccessible)
  Redistributing via rip
  Last update from 12.12.12.1 on FastEthernet0/0, 00:03:01 ago
  Hold down timer expires in 178 secs

When the holddown has expired the route can be installed:

R2#sh ip route 1.1.1.1
Routing entry for 1.1.1.1/32
  Known via "rip", distance 120, metric 1
  Redistributing via rip
  Last update from 23.23.23.3 on FastEthernet0/1, 00:00:07 ago
  Routing Descriptor Blocks:
  * 23.23.23.3, from 23.23.23.3, 00:00:07 ago, via FastEthernet0/1
      Route metric is 1, traffic share count is 1

Conclusion: When an interface goes down, a triggered flash update is sent poisoning that route with a metric of 16. This update is sent out all RIP enabled interfaces. Because the route is poisoned, the routers are free to install other routes.

If the route is not poisoned and instead relying on timers then the holddown timer of 180 seconds must expire first before other routes can be installed.

Best Answer

Related Solutions

Cisco – RIP routing is broken between two routers

Regarding Route Poison in RIP protocol

Related Topic