No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
RIP/RIPng

RIP/RIPng

Security Policy

The rapid development of networks poses requirements for higher network security. Routing protocol packets that are transmitted on networks may be intercepted, changed, or forged, and packet attacks may cause network interruption. Therefore, packets need to be protected.

  • Security mechanism of protocol

    RIP/RIPng will support following Security policies from Protocol prospective.

    • TTL/Hop Limit Mechanism:

      The scope of the RIP/RIPng packet traversal is always one Hop next to the originator. So while sending the RIP/RIPng packet on broadcast or multicast network (except for unicast peer), RIP/RIPng will set the TTL/Hop limit value to 1.

    • Authentication Support:

      RIP Version 2 supports Authentication to avoid receiving of Bad routing data, Error packets and replay attacks from the networks.

    • Routing Restriction:

      RIP/RIPng will support limiting the number of routes added to the RIP/RIPng database for each RIP/RIPng process so that limit the route information based on device capacity.

  • Description of handling policy when massive and error packet attack

    RIP uses route security policy to avoid attacks using a large number of error packets.

  • Other policies

    From System prospective, System will support CP depend policy (CAR) for each interface to define the supported bandwidth for RIP packets to receive from new source.

Attack Modes

  • Injection of massive route information

    RIP will be available in all level of devices . The number of routes supported for RIP/RIPng process will depends on CPU and MEMORY available for the device. If the numbers of routes received are more than the device capacity then it will result to high CPU usage as well as Memory usage which may cause device to become unstable. To avoid this instability to device, RIP/RIPng will support to set the maximum number of routes supported by using PAF.

    Injection of bad routing information

    RIP/RIPng will accept any packet from valid source address of the packet which matches the configured networks. RIP will carry direct route data in its RIP/RIPng packet, so it may possible to attack with invalid or wrong route information in route data of the RIP/RIPng packet. With this information the calculated routing database will not be correct and can cause network failures.

    If authentication is configured on the RIP interface on both sides, RIP will accept the packets only if the packet passes the authentication so that we can avoid accepting route from the unauthenticated peers.

  • Replay attacks

    RIP will support sequence number in MD5 authenticated packets to avoid replay attack from the network.

Configuration and Maintenance Methods

  • RIP authentication support

  • Introduction

    RIPv2 supports the ability to authenticate protocol packets and provides two authentication modes, Simple authentication and Message Digest 5 (MD5) authentication, to enhance security.

    RIPv2 supports two authentication modes:

    Simple authentication

    MD5 authentication

    In simple authentication mode, key is sent as plain text in every RIPv2 packet. Therefore, simple authentication does not guarantee security, and cannot meet the requirements for high security.

  • Command format

    rip authentication-mode simple { plain plain-text | [ cipher ] password-key }

    rip authentication-mode md5 usual { plain plain-text | [ cipher ] password-key }

    rip authentication-mode md5 nonstandard { keychain keychain-name | { plain plain-text | [ cipher ] password-key } key-id }

    rip authentication-mode md5 nonstandard { keychain keychain-name | { plain plain-text | [ cipher ] password-key } key-id }

    undo rip authentication-mode

  • # Setting of authentication key to "huawei" in simple authentication.

    <Huawei>system-view 
    [Huawei] interface gigabitethernet 1/0/1
    [Huawei-gigabitethernet 1/0/1]rip authentication-mode simple huawei
    [Huawei-gigabitethernet 1/0/1]display this
    # 
    interface gigabitethernet 1/0/1 
    undo shutdown 
    rip authentication-mode simple cipher %$%$1_-hJX3nbJj37FJF,rGU@aXO%$%$ 
    Setting authentication text to "abc" in simple authentication with plain option.
    #
    return
    <Huawei>system-view 
    [Huawei] interface gigabitethernet 1/0/1
    [Huawei-gigabitethernet 1/0/1]rip authentication-mode simple plain abc
    [Huawei-gigabitethernet 1/0/1]display this
    # 
    interface gigabitethernet 1/0/1 
    undo shutdown rip authentication-mode simple plain abc 
    Setting authentication text to cipher text in md5 usual authentication with cipher option.
    
    <Huawei>system-view
    Enter system view, return user view with Ctrl+Z.
    [Huawei] interface gigabitethernet 1/0/1
    [Huawei-gigabitethernet 1/0/1]rip authentication-mode md5 usual cipher %$%$1_-hJX3nbJj37FJF,rGU@aXO%$%$
    [Huawei-gigabitethernet 1/0/1]display this
    # 
    interface gigabitethernet 1/0/1 
    undo shutdown rip authentication-mode md5 usual cipher %$%$1_-hJX3nbJj37FJF,rGU@aXO%$%$ 
    Setting authentication text to "xyz" in md5 nonstandard authentication mode with plain option and key-id 12.
    # 
    return
    
    <Huawei>system-view
    Enter system view, return user view with Ctrl+Z.
    [Huawei] interface gigabitethernet 1/0/1 
    [Huawei-Ethernet0/0/0]rip authentication-mode md5 nonstandard plain xyz 12 
    [Huawei-Ethernet0/0/0]display this 
    interface gigabitethernet 1/0/1 
    undo shutdown rip authentication-mode md5 nonstandard plain xyz 12 
    Setting authentication text to "huawei" in md5 nonstandard authentication mode with keychain option.
    # 
    return
    
    <Huawei>system-view 
    Enter system view, return user view with Ctrl+Z.
    [Huawei] interface gigabitethernet 1/0/1 
    [Huawei-gigabitethernet 1/0/1]rip authentication-mode md5 nonstandard keychain huawei 
    [Huawei-gigabitethernet 1/0/1]display this 
    interface gigabitethernet 1/0/1
     undo shutdown 
    rip authentication-mode md5 nonstandard keychain huawei 
    #
    return
  • RIP/RIPng interface security

    No specific configuration from RIP/RIPng feature.

  • RIP/RIPng routing restriction

    The number of routes supported by RIP/RIPng process can be set by using PAF. RIP/RIPng has PAF entry to set the maximum number of routes supported.

Configuration and Maintenance Suggestions

  • RIP authentication support

    In MD5 authentication, usual authentication is Huawei supported authentication which is based on RFC 2082, RIP packet will take "checksum" in authentication RTE instead of direct password key. Non standard authentication is based on RFC 2453 supports same packet format as mentioned in RFC. (Supports only MD5 algorithm)

    Configuring Keychain authentication improves the security of the RIP connection. You must configure Keychain authentication on both links. Note that encryption algorithms and passwords configured for the Keychain authentication on both peers must be the same; otherwise, the connection cannot be set up between RIP peers and RIP messages cannot be transmitted.

  • RIP/RIPng interface security

    No specific configuration suggestion from RIP/RIPng feature.

  • RIP/RIPng routing restriction

    The maximum number of routes supported can be set based on device usage scope, Capacity and supported CP-CAR values.

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 5154

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next