image

RIPv2的包头格式

image

RIPv2加认证后的报文格式

以下摘自卷一:

RIPv2是通过更改消息中正常情况下应该是第一个路由条目的字段来支持认证的。

在含有认证的单个更新消息中,最大可以携带的路由条目被减少到了24个。

address family identifier位置设置成了0xFFF,对于简单的口令认证,authentication type设置成0x0002。

Cisco使用了一个和最后一个路由条目的字段空间,从而达到MD5认证的目的。

按照Joff Doyle说法,对于MD5认证,最大可以携带的路由条目应该是23个。

下面来做一个实验:

image

R1

!
key chain cisco
key 1
  key-string cisco

interface Loopback0
ip address 10.1.1.1 255.255.255.0 secondary
ip address 10.1.2.1 255.255.255.0 secondary
ip address 10.1.3.1 255.255.255.0 secondary
ip address 10.1.4.1 255.255.255.0 secondary
ip address 10.1.5.1 255.255.255.0 secondary
ip address 10.1.6.1 255.255.255.0 secondary
ip address 10.1.7.1 255.255.255.0 secondary
ip address 10.1.8.1 255.255.255.0 secondary
ip address 10.1.9.1 255.255.255.0 secondary
ip address 10.1.10.1 255.255.255.0 secondary
ip address 10.1.11.1 255.255.255.0 secondary
ip address 10.1.12.1 255.255.255.0 secondary
ip address 10.1.13.1 255.255.255.0 secondary
ip address 10.1.14.1 255.255.255.0 secondary
ip address 10.1.15.1 255.255.255.0 secondary
ip address 10.1.16.1 255.255.255.0 secondary
ip address 10.1.17.1 255.255.255.0 secondary
ip address 10.1.18.1 255.255.255.0 secondary
ip address 10.1.19.1 255.255.255.0 secondary
ip address 10.1.20.1 255.255.255.0 secondary
ip address 10.1.21.1 255.255.255.0 secondary
ip address 10.1.22.1 255.255.255.0 secondary
ip address 10.1.23.1 255.255.255.0 secondary
ip address 10.1.24.1 255.255.255.0 secondary
ip address 10.1.25.1 255.255.255.0 secondary
ip address 10.1.26.1 255.255.255.0 secondary
ip address 10.1.0.1 255.255.255.0

interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain cisco
duplex auto
speed auto
!
router rip
version 2
passive-interface Loopback0
network 10.0.0.0
network 12.0.0.0
no auto-summary

R2

!
key chain cisco
key 1
  key-string cisco

!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain cisco
duplex auto
speed auto
!
router rip
version 2
network 12.0.0.0
no auto-summary

R1

debug ip rip events

*Mar  1 00:06:21.415: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.1)
*Mar  1 00:06:21.419: RIP: Update contains 24 routes
*Mar  1 00:06:21.419: RIP: Update queued
*Mar  1 00:06:21.423: RIP: Update contains 3 routes
*Mar  1 00:06:21.423: RIP: Update queued
*Mar  1 00:06:21.423: RIP: Update sent via FastEthernet0/0
*Mar  1 00:06:21.423: RIP: Update sent via FastEthernet0/0

使用wireshark的抓包结果

image

可以看到authentication: Keyed Message Digest表示认证类型为MD5

后面跟的是10.1.0.0--10.1.23.0共24条路由条目,使用MD5认证时,Cisco并没有使用最后一个路由条目字段空间。

总结:

1.未使用认证,RIPv2的更新消息最大可以包含25个路由条目

2.使用明文认证,RIPv2的更新消息最大可以包含24个路由条目

3.使用MD5认证,RIPv2的更新消息最大可以包含24个路由条目,而不是23个路由条目