【原创】思科路由器RIP明文认证和密文认证测试

碧云天 · ‎02-03-2020

本帖最后由碧云天于 2020-2-3 22:03 编辑
一.测试拓扑

测试总结：
1.明文认证

明文认证不会比较钥匙链中的Key-ID,报文中也没有Key-ID
发送的时候，只会以钥匙链中编号最小的key-string发送
接收的时候，会从钥匙链中逐个比对，有相同的key-string认证通过

2.密文认证

密文认证报文中会有Key-ID
双方发送的时候都是以钥匙链中最小的Key ID发送的
接收的时候如果双方的最小Key-ID相同，并且Key-String也相同，认证通过
接收的时候，如果对方的Key-ID小于自身钥匙链中最小Key-ID,但是他们的Key-String是相同的，认证通过，
接收的时候，如果对方的Key-ID大于自身钥匙链中最小Key-ID,那就需要自身钥匙链中有与对方key-ID和key-string相同的钥匙，否则认证失败。

二.基本配置
1.R1路由器
hostname R1
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
no shutdown
router rip
version 2
network 1.0.0.0
network 12.0.0.0
no auto-summary
2.R2路由器
hostname R2
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
no shutdown
router rip
version 2
network 2.0.0.0
network 12.0.0.0
no auto-summary
三.测试明文认证
1.双方钥匙链最小Key-ID不同，但最小Key-ID的Key-String相同
①R1路由器
key chain R1
key 1
key-string Cisc0123
key 2
key-string 123
interface FastEthernet0/0
ip rip authentication key-chain R1
ip rip authentication mode text
②R2路由器
key chain R2
key 10
key-string Cisc0123
key 11
key-string 345
interface FastEthernet0/0
ip rip authentication key-chain R2
ip rip authentication mode text
③R1路由器debug可以看到对方的明文密码，并且没有拒绝
R1#debug ip rip
RIP protocol debugging is on
R1#
*Feb 3 12:56:59.171: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.1)
*Feb 3 12:56:59.171: RIP: build update entries
*Feb 3 12:56:59.171: 1.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb 3 12:57:08.919: RIP: received packet with text authentication Cisc0123
*Feb 3 12:57:08.919: RIP: received v2 update from 12.1.1.2 on FastEthernet0/0
*Feb 3 12:57:08.923: 2.2.2.0/24 via 0.0.0.0 in 1 hops
*Feb 3 12:57:18.379: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1)
*Feb 3 12:57:18.379: RIP: build update entries
*Feb 3 12:57:18.379: 2.2.2.0/24 via 0.0.0.0, metric 2, tag 0
*Feb 3 12:57:18.379: 12.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb 3 12:57:18.379: RIP: ignored v2 packet from 1.1.1.1 (sourced from one of our addresses)
④R1路由器清除路由表，依然能够通过RIP获取到R2上的路由
R1#clear ip route *
R1#show ip route rip | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/1] via 12.1.1.2, 00:00:17, FastEthernet0/0
R1#
2.双方钥匙链最小Key-ID不同，并且最小Key-ID的Key-String也不同，但是后续Key-ID有与对方最小Key-ID的Key-String相同的
①R1路由器
key chain R1
key 1
key-string 123
key 2
key-string Cisc0123
interface FastEthernet0/0
ip rip authentication key-chain R1
ip rip authentication mode text
②R2路由器
key chain R2
key 10
key-string Cisc0123
key 11
key-string 123
interface FastEthernet0/0
ip rip authentication key-chain R2
ip rip authentication mode text
③R1路由器debug可以看到对方的明文密码，并且没有拒绝
R1#debug ip rip
RIP protocol debugging is on
*Feb 3 13:03:55.955: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.1)
*Feb 3 13:03:55.955: RIP: build update entries
*Feb 3 13:03:55.955: 1.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb 3 13:03:56.839: RIP: received packet with text authentication Cisc0123
*Feb 3 13:03:56.839: RIP: received v2 update from 12.1.1.2 on FastEthernet0/0
*Feb 3 13:03:56.839: 2.2.2.0/24 via 0.0.0.0 in 1 hops
*Feb 3 13:04:07.931: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1)
*Feb 3 13:04:07.931: RIP: build update entries
*Feb 3 13:04:07.931: 2.2.2.0/24 via 0.0.0.0, metric 2, tag 0
*Feb 3 13:04:07.931: 12.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb 3 12:57:18.379: RIP: ignored v2 packet from 1.1.1.1 (sourced from one of our addresses)
④R2路由器debug可以看到对方的明文密码是不一样的，并且没有拒绝
R2#debug ip rip
RIP protocol debugging is on
R2#
*Feb 3 13:05:47.711: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.2)
*Feb 3 13:05:47.711: RIP: build update entries
*Feb 3 13:05:47.711: 2.2.2.0/24 via 0.0.0.0, metric 1, tag 0
*Feb 3 13:05:49.635: RIP: received packet with text authentication 123
*Feb 3 13:05:49.639: RIP: received v2 update from 12.1.1.1 on FastEthernet0/0
*Feb 3 13:05:49.639: 1.1.1.0/24 via 0.0.0.0 in 1 hops
⑤R1路由器清除路由表，依然能够通过RIP获取到R2上的路由
R1#clear ip route *
R1#show ip route rip | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/1] via 12.1.1.2, 00:00:06, FastEthernet0/0
R1#
四.测试密文认证
1.双方钥匙链最小Key-ID不同，但最小Key-ID的Key-String相同
①R1路由器
key chain R1
key 1
key-string Cisc0123
key 2
key-string 123
interface FastEthernet0/0
ip rip authentication key-chain R1
ip rip authentication mode md5
②R2路由器
key chain R2
key 10
key-string Cisc0123
key 11
key-string 345
interface FastEthernet0/0
ip rip authentication key-chain R2
ip rip authentication mode md5
③R1路由器debug可以看到对方采用MD5认证，但是拒绝了
R1(config-if)#
R1(config-if)#
*Feb 3 13:29:45.195: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1)
*Feb 3 13:29:45.195: RIP: build update entries
*Feb 3 13:29:45.195: 2.2.2.0/24 via 0.0.0.0, metric 2, tag 0
*Feb 3 13:29:45.195: 12.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb 3 13:29:45.195: RIP: ignored v2 packet from 1.1.1.1 (sourced from one of our addresses)
*Feb 3 13:29:50.267: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.1)
*Feb 3 13:29:50.267: RIP: build update entries
*Feb 3 13:29:50.267: 1.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb 3 13:30:01.391: RIP: received packet with MD5 authentication
*Feb 3 13:30:01.391: RIP: ignored v2 packet from 12.1.1.2 (invalid authentication)
④但是从R1路由器debug可以看到并且没有拒绝
R2#debug ip rip
RIP protocol debugging is on
*Feb 3 13:29:08.803: RIP: received packet with MD5 authentication
*Feb 3 13:29:08.803: RIP: received v2 update from 12.1.1.1 on FastEthernet0/0
*Feb 3 13:29:08.803: 1.1.1.0/24 via 0.0.0.0 in 1 hops
*Feb 3 13:29:20.031: RIP: sending v2 update to 224.0.0.9 via Loopback0 (2.2.2.2)
*Feb 3 13:29:20.031: RIP: build update entries
*Feb 3 13:29:20.031: 1.1.1.0/24 via 0.0.0.0, metric 2, tag 0
*Feb 3 13:29:20.031: 12.1.1.0/24 via 0.0.0.0, metric 1, tag 0
*Feb 3 13:29:20.031: RIP: ignored v2 packet from 2.2.2.2 (sourced from one of our addresses)
*Feb 3 13:29:21.043: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.2)
*Feb 3 13:29:21.043: RIP: build update entries
*Feb 3 13:29:21.043: 2.2.2.0/24 via 0.0.0.0, metric 1, tag 0
*Feb 3 13:29:35.119: RIP: received packet with MD5 authentication
*Feb 3 13:29:35.119: RIP: received v2 update from 12.1.1.1 on FastEthernet0/0
*Feb 3 13:29:35.119: 1.1.1.0/24 via 0.0.0.0 in 1 hops
⑤R2路由器可以通过rip学习到路由
R2#clear ip route *
R2#show ip route
R2#show ip route rip | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/1] via 12.1.1.1, 00:00:03, FastEthernet0/0
R2#

2.R1添加对方最小key-id相同的密钥
①R1路由器
key chain R1
key 1
key-string Cisc0123
key 2
key-string 123
key 10
key-string Cisc0123
②通过debug日志可以看到R1现在能正常接收RIP报文
R1#debug ip rip
RIP protocol debugging is on
*Feb 3 13:40:14.171: RIP: received packet with MD5 authentication
*Feb 3 13:40:14.171: RIP: received v2 update from 12.1.1.2 on FastEthernet0/0
*Feb 3 13:40:14.171: 2.2.2.0/24 via 0.0.0.0 in 1 hops
*Feb 3 13:40:16.175: RIP: sending v2 flash update to 224.0.0.9 via Loopback0 (1.1.1.1)
*Feb 3 13:40:16.175: RIP: build flash update entries
*Feb 3 13:40:16.175: 2.2.2.0/24 via 0.0.0.0, metric 2, tag 0
③R1路由器清除路由表，依然能够通过RIP获取到R2上的路由
R1#clear ip route *
R1#show ip route rip | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/1] via 12.1.1.2, 00:00:10, FastEthernet0/0
R1#show ip route rip | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/1] via 12.1.1.2, 00:00:10, FastEthernet0/0
R1#

one-time · ‎02-03-2020

感谢楼主分享，谢谢~

lswtochinapt · ‎02-04-2020

有些培训机构，忘了‘初心’-乾颐堂
http://bbs.csc-china.com.cn/forum.php?mod=viewthread&tid=990501&fromuid=97270
(出处: 思科社区)

likuo · ‎04-10-2020

密文认证比较复杂。