index_91
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
91
key-chains, CENTRAL-KEYCHAIN and SOUTH-KEYCHAIN. In practice, all the
routes connected to a given network must be configured in the same way. That is, the
shared key must exist in both key chains.
Prior to enabling RIP MD5 authentication, each neighboring router must have a
shared secret key. RIP manages authentication keys by the use of key chains. A key
chain is a container that holds multiple keys with the associated key IDs and key
lifetimes. Multiple keys with different lifetimes can exist. However, only one
authentication packet is sent. The router examines the key numbers in order from
lowest to highest, and uses the first valid key that is encountered. In the example
below, Central and South have key chains named CENTRAL-KEYCHAIN and
SOUTH-KEYCHAIN. Both key chains share the keys my-supersecret-key and
my-othersecret-key. However, both routers will only use the first valid key.
The other key is usually used when migrating to different keys.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# key chain CENTRAL-KEYCHAIN
Central(config-keychain)# key 1
Central(config-keychain-key)# key-string my-supersecret-key
Central(config-keychain-key)# exit
Central(config-keychain)# key 2
Central(config-keychain-key)# key-string my-othersecret-key
Central(config-keychain-key)# end
Central#
South# config t
Enter configuration commands, one per line. End with CNTL/Z.
South(config)# key chain SOUTH-KEYCHAIN
South(config-keychain)# key 1
South(config-keychain-key)# key-string my-supersecret-key
South(config-keychain-key)# exit
South(config-keychain)# key 2
South(config-keychain-key)# key-string my-othersecret-key
South(config-keychain-key)# end
South#
RIP version 1 did not support authentication. This was a feature that was included in
RIP version 2. Each RIP router must first be configured to use version 2 in order to
enable authentication during routing updates. The example below shows how to
enable version 2 of RIP.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# router rip
Central(config-router)# version 2
Central(config-router)# network 14.0.0.0
Central(config-router)# end
Central#