请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 916|回复: 3

【原创】思科路由器RIP明文认证和密文认证测试

[复制链接]
发表于 2020-2-3 21:45:11 | 显示全部楼层 |阅读模式
本帖最后由 碧云天 于 2020-2-3 22:03 编辑

一.测试拓扑



测试总结:

1.明文认证
  • 明文认证不会比较钥匙链中的Key-ID,报文中也没有Key-ID
  • 发送的时候,只会以钥匙链中编号最小的key-string发送
  • 接收的时候,会从钥匙链中逐个比对,有相同的key-string认证通过
2.密文认证
  • 密文认证报文中会有Key-ID
  • 双方发送的时候都是以钥匙链中最小的Key ID发送的
  • 接收的时候如果双方的最小Key-ID相同,并且Key-String也相同,认证通过
  • 接收的时候,如果对方的Key-ID小于自身钥匙链中最小Key-ID,但是他们的Key-String是相同的,认证通过,
  • 接收的时候,如果对方的Key-ID大于自身钥匙链中最小Key-ID,那就需要自身钥匙链中有与对方key-ID和key-string相同的钥匙,否则认证失败。
二.基本配置
1.R1路由器

hostname R1
interface Loopback0
    ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
    ip address 12.1.1.1 255.255.255.0
    no shutdown
router rip
    version 2
    network 1.0.0.0
    network 12.0.0.0
    no auto-summary
2.R2路由器
hostname R2
interface Loopback0
    ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
    ip address 12.1.1.2 255.255.255.0
    no shutdown
router rip
    version 2
    network 2.0.0.0
    network 12.0.0.0
    no auto-summary
三.测试明文认证
1.双方钥匙链最小Key-ID不同,但最小Key-ID的Key-String相同
①R1路由器

key chain R1
    key 1
      key-string Cisc0123
    key 2
      key-string 123
interface FastEthernet0/0
     ip rip authentication key-chain R1
    ip rip authentication mode text
②R2路由器
key chain R2
    key 10
      key-string Cisc0123
    key 11
      key-string 345
interface FastEthernet0/0
     ip rip authentication key-chain R2
    ip rip authentication mode text
③R1路由器debug可以看到对方的明文密码,并且没有拒绝
R1#debug ip rip
RIP protocol debugging is on
R1#
*Feb  3 12:56:59.171: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.1)
*Feb  3 12:56:59.171: RIP: build update entries
*Feb  3 12:56:59.171:   1.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb  3 12:57:08.919: RIP: received packet with text authentication Cisc0123
*Feb  3 12:57:08.919: RIP: received v2 update from 12.1.1.2 on FastEthernet0/0
*Feb  3 12:57:08.923:      2.2.2.0/24 via 0.0.0.0 in 1 hops
*Feb  3 12:57:18.379: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1)
*Feb  3 12:57:18.379: RIP: build update entries
*Feb  3 12:57:18.379:   2.2.2.0/24 via 0.0.0.0, metric 2, tag 0
*Feb  3 12:57:18.379:   12.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb  3 12:57:18.379: RIP: ignored v2 packet from 1.1.1.1 (sourced from one of our addresses)
④R1路由器清除路由表,依然能够通过RIP获取到R2上的路由
R1#clear ip route *
R1#show ip route rip | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
R        2.2.2.0 [120/1] via 12.1.1.2, 00:00:17, FastEthernet0/0
R1#
2.双方钥匙链最小Key-ID不同,并且最小Key-ID的Key-String也不同,但是后续Key-ID有与对方最小Key-ID的Key-String相同的
①R1路由器
key chain R1
    key 1
      key-string 123
    key 2
      key-string Cisc0123
interface FastEthernet0/0
     ip rip authentication key-chain R1
    ip rip authentication mode text
②R2路由器
key chain R2
    key 10
      key-string Cisc0123
    key 11
      key-string 123
interface FastEthernet0/0
     ip rip authentication key-chain R2
    ip rip authentication mode text
③R1路由器debug可以看到对方的明文密码,并且没有拒绝
R1#debug ip rip
RIP protocol debugging is on
*Feb  3 13:03:55.955: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.1)
*Feb  3 13:03:55.955: RIP: build update entries
*Feb  3 13:03:55.955:   1.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb  3 13:03:56.839: RIP: received packet with text authentication Cisc0123
*Feb  3 13:03:56.839: RIP: received v2 update from 12.1.1.2 on FastEthernet0/0
*Feb  3 13:03:56.839:      2.2.2.0/24 via 0.0.0.0 in 1 hops
*Feb  3 13:04:07.931: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1)
*Feb  3 13:04:07.931: RIP: build update entries
*Feb  3 13:04:07.931:   2.2.2.0/24 via 0.0.0.0, metric 2, tag 0
*Feb  3 13:04:07.931:   12.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb  3 12:57:18.379: RIP: ignored v2 packet from 1.1.1.1 (sourced from one of our addresses)
④R2路由器debug可以看到对方的明文密码是不一样的,并且没有拒绝
R2#debug ip rip
RIP protocol debugging is on
R2#
*Feb  3 13:05:47.711: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.2)
*Feb  3 13:05:47.711: RIP: build update entries
*Feb  3 13:05:47.711:   2.2.2.0/24 via 0.0.0.0, metric 1, tag 0
*Feb  3 13:05:49.635: RIP: received packet with text authentication 123
*Feb  3 13:05:49.639: RIP: received v2 update from 12.1.1.1 on FastEthernet0/0
*Feb  3 13:05:49.639:      1.1.1.0/24 via 0.0.0.0 in 1 hops
⑤R1路由器清除路由表,依然能够通过RIP获取到R2上的路由
R1#clear ip route *
R1#show ip route rip | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
R        2.2.2.0 [120/1] via 12.1.1.2, 00:00:06, FastEthernet0/0
R1#
四.测试密文认证
1.双方钥匙链最小Key-ID不同,但最小Key-ID的Key-String相同
①R1路由器

key chain R1
    key 1
      key-string Cisc0123
    key 2
      key-string 123
interface FastEthernet0/0
     ip rip authentication key-chain R1
    ip rip authentication mode md5
②R2路由器
key chain R2
    key 10
      key-string Cisc0123
    key 11
      key-string 345
interface FastEthernet0/0
     ip rip authentication key-chain R2
    ip rip authentication mode md5
③R1路由器debug可以看到对方采用MD5认证,但是拒绝了
R1(config-if)#
R1(config-if)#
*Feb  3 13:29:45.195: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1)
*Feb  3 13:29:45.195: RIP: build update entries
*Feb  3 13:29:45.195:   2.2.2.0/24 via 0.0.0.0, metric 2, tag 0
*Feb  3 13:29:45.195:   12.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb  3 13:29:45.195: RIP: ignored v2 packet from 1.1.1.1 (sourced from one of our addresses)
*Feb  3 13:29:50.267: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.1)
*Feb  3 13:29:50.267: RIP: build update entries
*Feb  3 13:29:50.267:   1.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb  3 13:30:01.391: RIP: received packet with MD5 authentication
*Feb  3 13:30:01.391: RIP: ignored v2 packet from 12.1.1.2 (invalid authentication)
④但是从R1路由器debug可以看到并且没有拒绝
R2#debug ip rip
RIP protocol debugging is on
*Feb  3 13:29:08.803: RIP: received packet with MD5 authentication
*Feb  3 13:29:08.803: RIP: received v2 update from 12.1.1.1 on FastEthernet0/0
*Feb  3 13:29:08.803:      1.1.1.0/24 via 0.0.0.0 in 1 hops
*Feb  3 13:29:20.031: RIP: sending v2 update to 224.0.0.9 via Loopback0 (2.2.2.2)
*Feb  3 13:29:20.031: RIP: build update entries
*Feb  3 13:29:20.031:   1.1.1.0/24 via 0.0.0.0, metric 2, tag 0
*Feb  3 13:29:20.031:   12.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb  3 13:29:20.031: RIP: ignored v2 packet from 2.2.2.2 (sourced from one of our addresses)
*Feb  3 13:29:21.043: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.2)
*Feb  3 13:29:21.043: RIP: build update entries
*Feb  3 13:29:21.043:   2.2.2.0/24 via 0.0.0.0, metric 1, tag 0
*Feb  3 13:29:35.119: RIP: received packet with MD5 authentication
*Feb  3 13:29:35.119: RIP: received v2 update from 12.1.1.1 on FastEthernet0/0
*Feb  3 13:29:35.119:      1.1.1.0/24 via 0.0.0.0 in 1 hops
⑤R2路由器可以通过rip学习到路由
R2#clear ip route *
R2#show ip route
R2#show ip route rip | begin Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
R        1.1.1.0 [120/1] via 12.1.1.1, 00:00:03, FastEthernet0/0
R2#
file:///C:/Users/xlladmin/AppData/Local/Temp/enhtmlclip/Image(3).png
2.R1添加对方最小key-id相同的密钥
①R1路由器
key chain R1
    key 1
      key-string Cisc0123
    key 2
      key-string 123
    key 10
      key-string Cisc0123
②通过debug日志可以看到R1现在能正常接收RIP报文
R1#debug ip rip
RIP protocol debugging is on
*Feb  3 13:40:14.171: RIP: received packet with MD5 authentication
*Feb  3 13:40:14.171: RIP: received v2 update from 12.1.1.2 on FastEthernet0/0
*Feb  3 13:40:14.171:      2.2.2.0/24 via 0.0.0.0 in 1 hops
*Feb  3 13:40:16.175: RIP: sending v2 flash update to 224.0.0.9 via Loopback0 (1.1.1.1)
*Feb  3 13:40:16.175: RIP: build flash update entries
*Feb  3 13:40:16.175:   2.2.2.0/24 via 0.0.0.0, metric 2, tag 0
③R1路由器清除路由表,依然能够通过RIP获取到R2上的路由
R1#clear ip route *
R1#show ip route rip | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
R        2.2.2.0 [120/1] via 12.1.1.2, 00:00:10, FastEthernet0/0

R1#show ip route rip | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
R        2.2.2.0 [120/1] via 12.1.1.2, 00:00:10, FastEthernet0/0
R1#
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-2-4 11:40:51 | 显示全部楼层
感谢楼主分享,谢谢~
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-2-4 16:29:15 | 显示全部楼层
有些培训机构,忘了‘初心’-乾颐堂
http://bbs.csc-china.com.cn/foru ... 1&fromuid=97270
(出处: 思科社区)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-4-11 09:54:54 | 显示全部楼层
密文认证比较复杂。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2020-8-7 20:28 , Processed in 0.098293 second(s), 41 queries .

京ICP备11014401号-17

© 2020 思科系统.版权所有 重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表