Section 28.1.4, Section 28.1.3 – Westermo RedFox Series User Manual

Westermo OS Management Guide

Version 4.17.0-0

You can also let a RIP router inject a default route (0.0.0.0/0) into your RIP domain,
using the ”distribute-default”.

28.1.3

Authentication

To avoid that false routing information is injected into your network (deliberately
or by mistake) it is possible to authenticate RIPv2 messages. Two authentication
alternatives are available:

❼ Plain: Plain text authentication will protect against the situation when care-

less users attach a RIP router to your network by mistake. However, since
the password is sent in plain text inside the RIP messages, it does not pro-
hibit a deliberate attacker to inject routing information into your network.
Plain text secrets are text strings of 4-16 characters.

❼ MD5: With MD5 authentication each RIP message will include a crypto-

graphic checksum, i.e., message authentication code (MAC), based on a
secret only known by the system administrator. MD5 secrets are text strings
of 4-32 characters.

Authentication of RIP messages is configured per network interface, and is dis-
abled by default.

Use of MD5 authentication is recommended. When using MD5 authentication,
an associated key identifier must be specified. The purpose of the key identifier
is to enable use of multiple MD5 keys in parallel when performing key roll-over.
However, as of WeOS version v4.17.0 only a single RIP secret per interface is
supported.

28.1.4

Passive interface

In some situations you may wish to include a router’s subnets as part of the RIP
routing domain without running RIP on the associated network interface. To ac-
complish this the network should be defined in the router rip context (as usual),
and the related interface should be declared as passive in the interface rip con-
text. Below is an example where network 10.0.3.0/24 should be included in the
RIP domain, but where the associated interface (vlan3) is declared as passive.

➞ 2015 Westermo Teleindustri AB

633