Who is Office of The CISO? - How to Get Into Cybersecurity - What is a Chief Information Security Officer?
What is a SOC Analyst?
Routing Information Protocol (RIP)
This section describes the Routing Information Protocol (RIP). The following topics are included in this section:
RIP background and concepts
Troubleshooting RIP Simple RIP example RIPng — RIP and IPv6
RIP background and concepts
This section contains:
- Parts and terminology of RIP
- How RIP works
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small, relatively homogeneous networks. Its widespread use started when an early version of RIP was included with BSD v4.3
Linux as the routed daemon. The routing algorithm used by RIP, the Bellman–Ford algorithm, first saw widespread use as the initial routing algorithm of the ARPANET.
RIP benefits include being well suited to smaller networks, is in widespread use, near universal support on routing hardware, quick to configure, and works well if there are no redundant paths. However, RIP updates are sent out node-by-node so it can be slow to find a path around network outages. RIP also lacks good authentication, can not choose routes based on different quality of service methods, and can create network loops if you are not careful.
In 1988 RIP version 1, defined in RFC 1058, was released. The RFC even states that RIP v1 is based on Linux routed due to it being a “defacto standard”.
It uses classful addressing and uses broadcasting to send out updates to router neighbors. There is no subnet information included in the routing updates in classful routing, and it does not support CIDR addressing — subnets must all be the same size. Also, route summarization is not possible.
RIP v1 has no router authentication method, so it is vulnerable to attacks through packet sniffing, and spoofing.
In 1993, RIP version 2 was developed to deal with the limitations of RIP v1. It was not standardized until 1998. This new version supports classless routing, and subnets of various sizes.
Router authentication was added in RIP v2 — it supports MD5. MD5 hashes are an older encryption method, but this is much improved over no security at all.
In RIP v2 the hop count limit remained at 15 to be backwards compatible with RIP v1.
RIP v2 uses multicasting to send the entire routing table to router neighbors, thereby reducing the traffic for devices that are not participating in RIP routing.
Routing tags were added as well, which allow internal routes or redistributed routes to be identified as such.
RIPng, defined in RFC 2080, is an extension of RIP2 designed to support IPv6. However, RIPng varies from
RIPv2 in that it is not fully backwards compatible with RIPv1.
- RIPng does not support RIPv1 update authentication, it relies on IPsec
- RIPng does not allow attaching tags to routes as in RIPv2
- RIPng requires specific encoding of the next hop for a set of route entries, unlike RIPv2 that encodes the next-hop into each route entry.
Parts and terminology of RIP
Before you can understand how RIP functions, you need to understand some of the main concepts and parts of RIP.
This section includes:
- RIP and IPv6
- Default information originate option
- Update, Timeout, and Garbage timers
- Authentication and key-chain
- Access Lists
RIP and IPv6
RIP Next Generation (RIPng) is a new version of RIP was released that includes support for IPv6.
The FortiGate unit command config router ripng is almost the same as config router rip, except that IPv6 addresses are used. Also if you are going to use prefix or access lists with RIPng, you must use the config router access-list6 or config prefix-list6 versions of those commands.
If you want to troubleshoot RIPng, it is the same as with RIP but specify the different protocol, and use IPv6 addresses. This applies to commands such as get router info6 when you want to see the routing table, or other related information.
If you want to route IPv4 traffic over an IPv6 network, you can use the command config system ip6- tunnel to configure the FortiGate unit to do this. The IPv6 interface is configured under config system interface. All subnets between the source and destination addresses must support IPv6. This command is not supported in Transparent mode.
For example, you want to set up a tunnel on the port1 interface starting at 2002:C0A8:3201:: on your local network and tunnel it to address 2002:A0A:A01:: where it will need access to an IPv4 network again. Use the following command:
config system ipv6-tunnel edit test_tunnel
set destination 2002:A0A:A01::
set interface port1
set source 2002:C0A8:3201::
The CLI commands associated with RIPng include:
config router ripng
config router access-list6 config router prefix-list6 config system ipv6-tunnel get router info6 *
Default information originate option
This is the second advanced option for RIP in the web-based manager, right after metric. Enabling default- information-originate will generate and advertise a default route into the FortiGate unit’s RIP-enabled networks. The generated route may be based on routes learned through a dynamic routing protocol, routes in the routing table, or both. RIP does not create the default route unless you use the always option.
Select Disable if you experience any issues or if you wish to advertise your own static routes into RIP updates. You can enable or disable default-information-originate in Router > Dynamic > RIP, under Advanced
Options, or use the CLI.
The CLI commands associated with default information originate include:
config router rip
set default-information-originate end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos