思考: 问题一: RO配置一个KEY ID ,KEY 1=cisco; R1配置一个KEY ID, KEY1=ccna; 是否能双向认证成功呢?
明文模式: R0#debug ip rip RIP protocol debugging is on R0# *Mar 1 00:55:34.915: RIP: received packet with text authentication ccna *Mar 1 00:55:34.915: RIP: ignored v2 packet from 12.1.1.2 (invalid authentication) R0 //认证无效; R1同上也是认证无效;
密文MD5模式:
R0#debug ip rip RIP protocol debugging is on R0# *Mar 1 01:00:41.543: RIP: received packet with MD5 authentication *Mar 1 01:00:41.547: RIP: ignored v2 packet from 12.1.1.2 (invalid authentication) R0 //认证无效 同样R1//认证无效 两端KEY ID一样,密码不一样,不管明文还是md5,认证无效
问题二: R0配置一个KEY ID ,KEY 1=cisco R1配置一个KEY ID,KEY2=cisco
明文模式:
R0#debug ip rip RIP protocol debugging is on R0# *Mar 1 01:16:58.803: RIP: received packet with text authentication cisco *Mar 1 01:16:58.803: RIP: received v2 update from 12.1.1.2 on Serial0/0 *Mar 1 01:16:58.803: 2.2.2.0/24 via 0.0.0.0 in 1 hops *Mar 1 01:16:59.407: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1) *Mar 1 01:16:59.407: RIP: build update entries *Mar 1 01:16:59.407: 2.2.2.0/24 via 0.0.0.0, metric 2, tag 0 *Mar 1 01:16:59.407: 12.1.1.0/24 via 0.0.0.0, metric 1, tag 0 R0//认证成功 R1://认证成功。
密文MD5模式:
R0#debug ip rip RIP protocol debugging is on R0# *Mar 1 00:10:41.407: RIP: received packet with MD5 authentication *Mar 1 00:10:41.407: RIP: ignored v2 packet from 12.1.1.2 (invalid authentication) R0# *Mar 1 00:11:04.159: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1) *Mar 1 00:11:04.159: RIP: build update entries *Mar 1 00:11:04.159: 12.1.1.0/24 via 0.0.0.0, metric 1, tag 0 *Mar 1 00:11:04.163: RIP: ignored v2 packet from 1.1.1.1 (sourced from one of our addresses) //R0认证无效
R1debug ip rip RIP protocol debugging is on R1# *Mar 1 00:10:38.847: RIP: received packet with MD5 authentication *Mar 1 00:10:38.847: RIP: received v2 update from 12.1.1.1 on Serial0/1 *Mar 1 00:10:38.847: 1.1.1.0/24 via 0.0.0.0 in 1 hops *Mar 1 00:10:40.851: RIP: sending v2 flash update to 224.0.0.9 via Loopback0 (2.2.2.2) *Mar 1 00:10:40.851: RIP: build flash update entries *Mar 1 00:10:40.851: 1.1.1.0/24 via 0.0.0.0, metric 2, tag 0 *Mar 1 00:10:40.855: RIP: sending v2 flash update to 224.0.0.9 via Serial0/1 (12.1.1.2) *Mar 1 00:10:40.855: RIP: build flash update entries - suppressing null update *Mar 1 00:10:40.863: RIP: ignored v2 packet from 2.2.2.2 (sourced from one of our addresses) //在R1上认证成功。 单向认证成功
R0#debug ip rip RIP protocol debugging is on R0# *Mar 1 00:25:02.195: RIP: received packet with text authentication ccie *Mar 1 00:25:02.195: RIP: ignored v2 packet from 12.1.1.2 (invalid authentication) R0# *Mar 1 00:25:13.195: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1) *Mar 1 00:25:13.195: RIP: build update entries *Mar 1 00:25:13.195: 12.1.1.0/24 via 0.0.0.0, metric 1, tag 0 R0//认证无效
R1#debug ip rip RIP protocol debugging is on R1# *Mar 1 00:25:15.087: RIP: received packet with text authentication cisco *Mar 1 00:25:15.087: RIP: received v2 update from 12.1.1.1 on Serial0/1 *Mar 1 00:25:15.087: 1.1.1.0/24 via 0.0.0.0 in 1 hops R1# *Mar 1 00:25:24.527: RIP: sending v2 update to 224.0.0.9 via Loopback0 (2.2.2.2) *Mar 1 00:25:24.527: RIP: build update entries *Mar 1 00:25:24.527: 1.1.1.0/24 via 0.0.0.0, metric 2, tag 0 *Mar 1 00:25:24.531: 12.1.1.0/24 via 0.0.0.0, metric 1, tag 0 //在R1上认证成功; 单向认证成功;
密文md5模式:
R0#debug ip rip RIP protocol debugging is on *Mar 1 00:29:40.527: RIP: received packet with MD5 authentication *Mar 1 00:29:40.527: RIP: ignored v2 packet from 12.1.1.2 (invalid authentication) R0# *Mar 1 00:29:43.487: RIP: sending v2 update to 224.0.0.9 via Loopback0 (1.1.1.1) *Mar 1 00:29:43.487: RIP: build update entries *Mar 1 00:29:43.487: 12.1.1.0/24 via 0.0.0.0, metric 1, tag 0 //R0认证无效
R1#debug ip rip RIP protocol debugging is on *Mar 1 00:29:43.851: RIP: received packet with MD5 authentication *Mar 1 00:29:43.855: RIP: ignored v2 packet from 12.1.1.1 (invalid authentication) R1# *Mar 1 00:30:07.419: RIP: sending v2 update to 224.0.0.9 via Serial0/1 (12.1.1.2) *Mar 1 00:30:07.419: RIP: build update entries *Mar 1 00:30:07.419: 2.2.2.0/24 via 0.0.0.0, metric 1, tag 0 //R1认证无效 总结:在认证的过程中,如果定义多个key ID,明文认证和MD5认证的匹配原则是不一样的: 1 明文认证的匹配原则是: A. 发送方发送最小Key ID的密钥 B. 不携带Key ID号码 C. 接收方会和所有Key Chain中的密钥匹配,如果匹配成功,则通过认证。 【实例1】 路由器R1有一个Key ID,key1=cisco; 路由器R2有两个Key ID,key1=ccie,key2=cisco 根据上面的原则,R1认证失败,R2认证成功。 所以在RIP中,出现单边路由并不稀奇。
2. MD5认证的匹配原则是: A. 发送方发送最小Key ID的密钥 B. 携带Key ID号码 C. 接收方首先会查找是否有相同的Key ID,如果有,只匹配一次,决定认证是否成功。如果没有该Key ID,只向下查找下一个匹配的k EY-ID号(收到的KEY-ID号的下一个KEY-ID),而且只向下匹配一次KEY-ID号中的密钥.既密文认证是先匹配KEY-ID在匹配KEY-ID的内容. 【实例2】 路由器R1有三个Key ID,key1=cisco,key3=ccie,key5=cisco ; 路由器R2有一个Key ID,key2=cisco 根据上面的原则,R1认证失败,R2认证成功。