RIP-II MD5 Authentication Fred Baker ACC ======== Problem Statement It Ain't Good Enough o Today's RIP-II runs either no authentication or simple password o subject to attacks - replay - forgery - corruption o Proposal: Use MD5 - with a non-decreasing sequence number? ======== Proposed Message under MD5 Authentication 0 7 8 15 16 23 24 31 ________________________________________________________________ |________AFI___________________|__Authentication_Type_=_MD5______| |________MD5_Message_Digest_(128_bits)___________________________| |________________________________________________________________| |________________________________________________________________| |________________________________________________________________| |________AFI___________________|__Reserved_______________________| |________route_description_(128_bits)____________________________| |________________________________________________________________| |________________________________________________________________| |________________________________________________________________| |________Zero_or_more_bytes_of_pad_______________________________| |________64-bit_message_length___________________________________| |______________________(per_RFC_1321)____________________________| ======== Elements of Procedure o Procedure for sending messages o Procedure for receiving messages o Management impacts ======== Procedure for sending messages o build standard RIP datagram o insert MD5 secret o pad per RFC 1321 o calculate MD5 digest o write digest over secret o send WITHOUT UDP CHECKSUM (hint to hackers) ======== Procedure for receiving messages o save digest o overwrite with MD5 Secret o calculate MD5 Digest o if different, ignore message o remove trailing pad (calculate by modulus) o process message ======== Management impacts o Add value to authentication type for MD5 o use existing authentication key to write secret o good reason to implement Secure SNMP