HCNA-22 配置RIPv2的认证
HCNA-22 配置RIPv2的认证基本配置<Huawei>system-viewinterface GigabitEthernet 0/0/2ip address 192.168.10.1 24quitinterface GigabitEthernet 0/0/0ip address 172.16.12.1 24quitrip 1version 2network 192.168.10.0network 172.16.0.0quit <Huawei>system-viewsysname r2interface GigabitEthernet 0/0/2ip address 192.168.20.1 24quitinterface GigabitEthernet 0/0/0ip address 172.16.12.2 24quitrip 1version 2network 192.168.20.0network 172.16.0.0quitdisplay ip routing-table Route Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 11 Routes :11 Destination/Mask Proto PreCost Flags NextHop Interface 127.0.0.0/8 Direct0 0 D 127.0.0.1 InLoopBack0…… 192.168.10.0/24RIP 1001 D172.16.12.1 GigabitEthernet0/0/0192.168.20.0/24Direct0 0 D 192.168.20.1 GigabitEthernet……模拟非法路由进行网络攻击<Huawei>system-viewsysname r3interface GigabitEthernet 0/0/0ip address 172.16.12.3 24quitrip 1version 2network 172.16.0.0quitdisplay ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 9 Routes :9 Destination/Mask Proto PreCost Flags NextHop Interface …… 172.16.12.255/32Direct0 0 D 127.0.0.1 GigabitEthernet0/0/0 192.168.10.0/24RIP 1001 D172.16.12.1 GigabitEthernet0/0/0 192.168.20.0/24RIP 1001 D172.16.12.2 GigabitEthernet0/0/0255.255.255.255/32 Direct0 0 D 127.0.0.1 InLoopBack0R3可以轻易获取到R1与R2的路由若此时R3对R1与R2进ping –t操作发送大量数据包,可以形成攻击形式下面配置欺骗网段interface LoopBack 1ip address 192.168.10.1 24quitinterface loopback 2ip address 192.168.20.1 24quitdisplay ip interface brief*down: administratively down^down: standby(l): loopback(s): spoofingThe number of interface that is UP in Physical is 4The number of interface that is DOWN in Physical is2The number of interface that is UP in Protocol is 4The number of interface that is DOWN in Protocol is2 Interface IP Address/Mask PhysicalProtocolGigabitEthernet0/0/0 172.16.12.3/24 up up GigabitEthernet0/0/1 unassigned down down GigabitEthernet0/0/2 unassigned down down LoopBack1 192.168.10.1/24 up up(s) LoopBack2 192.168.20.1/24 up up(s) NULL0 unassigned up up(s) rip 1network 192.168.10.0network 192.168.20.0quit 查看R1与R2的路由表<r1>display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 11 Routes :12 Destination/Mask Proto PreCost Flags NextHop Interface ……192.168.20.0/24RIP 100 1 D 172.16.12.2 GigabitEthernet0/0/0 RIP 100 1 D 172.16.12.3 GigabitEthernet0/0/0255.255.255.255/32 Direct0 0 D 127.0.0.1 InLoopBack0 <r2>display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 11 Routes :12 Destination/Mask Proto PreCost Flags NextHop Interface……192.168.10.0/24RIP 100 1 D 172.16.12.1 GigabitEthernet0/0/0 RIP 100 1 D 172.16.12.3 GigabitEthernet0/0/0192.168.20.0/24Direct0 0 D 192.168.20.1 GigabitEthernet……. 重要的地方来了,R1和R2接收到了R3发来的路由更新,由于R2和R3发送RIP更新的COST都是1跳,所以在R1的路由表中,目的为192.168.20.0的网段形成了两条等价负载均衡的路径,下一跳分别是R2与R3,这样一来会导致去往192.168.20.0网段的数据包会有部份发送到了非法路由R3。R2路由表变化与R1一样。配置RIPv2简单验证配置两端接口认证<r1>system-viewrip authentication-modesimple cipher admin1234//配置RIP认证模式为简单密码admin1234PC>ping 192.168.20.100 Ping 192.168.20.100: 32 data bytes, Press Ctrl_C tobreakRequest timeout!Request timeout!Request timeout!Request timeout!Request timeout! --- 192.168.20.100 ping statistics ---5 packet(s)transmitted0 packet(s)received100.00%packet loss当只配置了一个接口的认证后,RIP运行不再正常,需要连接端口同时配置认证!<r2>system-viewinterface GigabitEthernet 0/0/0rip authentication-modesimple admin1234quitdisplay ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 11 Routes :11 Destination/Mask Proto PreCost Flags NextHop Interface……. 192.168.10.0/24RIP 1001 D172.16.12.1 GigabitEthernet0/0/0192.168.20.0/24Direct0 0 D 192.168.20.1 GigabitEthernet…..此时R3的路由没有了,由于R3没有配置RIP认证,所以被排斥了出去。
抓包发现R1与R2间的RIP报文内有包含authentication字样,并且password是明文显示的admin1234。配置RIPv2 MD5认证<r1>system-viewinterface GigabitEthernet 0/0/0undo ripauthentication-moderip authentication-mode md5usual cipher admin1234quit <r2>system-viewinterface GigabitEthernet 0/0/0undo rip authentication-moderip authentication-mode md5usual cipher admin1234quit
页:
[1]
