RIP-for-IP security

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

RIP-for-IP security

In addition to the security steps listed in Static routing security, you can enhance RIP-for-IP security through:

  • RIP version 2 authentication

  • Peer security

  • Route filters

  • Neighbors

RIP version 2 authentication

To prevent the corruption of RIP routes by an unauthorized RIP router in a RIP version 2 environment, you can configure RIP v2 router interfaces to use simple password authentication. Received RIP announcements that do not match the configured password are discarded. Note that the password is sent in plaintext. Any user with a network sniffer, such as Microsoft Network Monitor, can capture the RIP v2 announcements and view the password. For more information, see Enable authentication.

Peer security

You can configure each RIP router with a list of routers (by IP address) from which RIP announcements are accepted. By default, RIP announcements from all sources are accepted. By configuring a list of RIP peers, RIP announcements from unauthorized RIP routers are discarded. For more information about configuring peer security, see Add peer filters.

Route filters

You can configure route filters on each RIP interface so that the only routes considered for addition to the routing table are those that reflect reachable network IDs within the internetwork. For example, if an organization is using subnets of the private network ID 10.0.0.0, route filtering can be used so that the RIP routers discard all routes except those within the 10.0.0.0 network ID. For more information about configuring RIP route filters, see Add route filters.

Neighbors

By default, RIP either broadcasts (RIP version 1 or RIP version 2) or multicasts (RIP v2 only) announcements. To prevent RIP traffic from being received by any node except neighboring RIP routers, the server running Routing and Remote Access can unicast RIP announcements. While originally intended for use by nonbroadcast multiaccess (NBMA) network technologies such as Frame Relay, the configuration of RIP neighbors ensures that RIP announcements are directed to neighboring RIP routers. For more information about configuring RIP neighbors, see Add a unicast neighbor.

Note

  • When you configure RIP routers to unicast to neighboring RIP routers, the ability of silent RIP hosts to receive RIP traffic is impaired. Therefore, you need to either add the silent RIP hosts as neighbors or configure the server running Routing and Remote Access to broadcast or multicast (in addition to unicasting to RIP neighbors).