Being part of the blue team it is helpful to have familiarity with routing protocols as they help you move traffic throughout the network and if you don’t well, then you have come to a good place to start. Routing protocols can be classified into two different categories: exterior and interior. Exterior routing protocols focus on routing from a network to the internet while interior protocols focus on inside the network. In this blog series, we are going to focus on the Interior routing protocols as those will be the protocols most accessible, regardless of whether you are an admin or not. We will save exterior routing protocols for a later time.
Interior routing protocols are based on two major factors, link-state routing or distance-vector routing. Distance-vector routing protocols use some form of metric that is calculated to determine the best path. This metric can be hops, bandwidth, delay, reliability, load, communication cost, etc. Link-State routing protocols calculate the shortest path to every other node in the network. The differences between these two is that Link-state protocols will share connectivity related changes and they will pass that info along. This will allow everyone to calculate new routes when someone goes down. Distance-vector protocols only have information about their neighbors and not the whole network. This causes distance-vector protocols to be prone to routing loops, which could be exploited by malicious actors to cause a Denial-of-Service-attack. This is also why link-state protocols are more scalable in environments than distance-vector protocols. The negative to link-state protocols is that they are more complex and have higher resource costs.
The figure above is going to help illustrate the concept of link-state vs distance vector. So, if we are using a distance-vector protocol in the above illustration the metric is hop count. And let’s say we already have network convergence and each router has established its routes.
Let’s say the link between A and D goes down. Router D says “Hey this network at A is unreachable from me” and begins telling his neighbors. Routers B and C both say, “Thanks, but we have an alternate path to network A with this many hops.” Since there is a route to A from B going to E and so forth and with the same in the opposite direction for C. Router D doesn’t know that it (Router D) is part of that path since E and D don’t know about each other due to not being neighbors. D will now update the route to A with one of these new routes since it is the lowest metric now. These updates go around the loop and then A is still unreachable. But, since everyone updated with new routes we keep counting to infinity and going in a continuous loop. The way to mitigate the loop will be to set a max hop timeout. That way when we hit that hop count we know that we are going in a loop and to stop. Split Horizon will not break loops in a network because it works by breaking loops between neighbors. If the routers in the above example were using link-state protocols, D would say to everyone, “Hey my connection to A is down” and this will be propagated by all routers to every neighbor and no one would have a shortest path to A.
Distance Vector Protocols
Routing Information Protocol(RIP)v2 is an older distance-vector routing protocol that uses hop count as a metric for deciding routes. The algorithm used within the protocol is the Bellman-Ford algorithm. To prevent loops like in the previous example, RIP has a maximum hop count of 15. Because of this RIP does not scale well to large networks. Someone with access to the router could reduce the hop count to make the protocol think it is in a loop and prevent routes from happening. The protocol is simple to configure. As for CISCO commands to configure a router using rip is described below:
For Juniper Networks you have to do the following:
Set fe-1/2/0 unit 1 family inet address 10.x.x.x/30
Set protocols rip group rip-group export advertise-routes-through-rip
Set protocols rip group rip-group neighbor fe-1/2/0.1
Set policy-options policy-statement advertise-routes-through-rip term 1 from protocol direct
Set policy-options policy-statement advertise-routes-through-rip term 1 from protocol rip
Set policy-options policy-statement advertise-routes-through-rip term 1 then accept2
As you can see RIP is a very simple routing protocol to configure by issuing very few commands depending on the networking equipment you use. RIPv2 is the standard currently due to RIPv1 being very limited in what it could do. RIPv2 allows for Classless routing, includes subnet masks in updates, and uses multicast to advertise routing table instead of the broadcast address. There is a version of RIP for IPv6 called RIPng.
RIPv1 does not support authentication on interfaces. For this reason, as well as other limiting factors, it should be avoided. RIPv2 in Cisco supports MD5 authentication which should be used in a network if RIPv2 is implemented. You must enable authentication on both sides of the connection to ensure routes and neighbors are formed. The commands for Cisco are below:
key chain kal
ip address 126.96.36.199 255.255.255.252
ip rip authentication mode md5
ip rip authentication key-chain kal
Enhanced Interior gateway routing protocol is a Cisco proprietary protocol. The protocol uses Diffused Update Algorithm (DUAL) to calculate the route to destinations within the network. This protocol replaced the previous version of IGRP. This was mainly to do with allowing classless IPV4 routing. This routing protocol is a distance-vector protocol with some link-state features. This is because the protocol will store a topology table like most link-state protocols to find other routes from other routers that aren’t neighbors. Cisco has therefore coined this protocol as a hybrid due to it routing by a metric of bandwidth metric. EIGRP also uses some link-state features to prevent routing loops and sends route changes and not the whole table to reduce the load on the devices.
You can configure EIGRP by:
Hostname(config)# router eigrp 2 -*The 2 is the Autonomous System number.
Hostname(config-router)# network X.X.X.X 255.X.X.X
EIGRP will find neighbors with the hello timers within 5 seconds on high bandwidth links or will do 60 seconds on low bandwidth links. Once they establish neighbor adjacency they will begin to send routes to build up each other’s topology table to ensure that they have all the routes in place. They will then select the best routes based off of bandwidth/delay. This will help the routers choose the best metric path (Feasible Distance) and a Feasible Successor (path that is less than the current one) to ensure routes are in place in case a link goes down.
EIGRP has several advanced features that call for another blog but will be briefly mentioned. Stub Routing allows a router to use less memory as it won’t send a complete EIGRP table and it won’t forward local traffic to a distribution router. The distribution router will send default routes to a stub router. You can modify timers, redistribute routes and additional features.
EIGRP can have authentication setup within the protocol. This is done with a keychain and a key. When you enable authentication on EIGRP interfaces all traffic will stop until both sides of the network are configured with the same keychain and key. When you set up configuration for authentication you set the key chain MYCHAIN in global configuration mode and then set the key with a number. Once you have that you will set the string for that key and configuration is complete on one side. Then on the interface you will set up the authentication by using IP authentication mode eigrp 10 md5 with 10 being the autonomous system number. You will then do the same on the other side and the protocol should continue as normal. An example config by Cisco is below:
FortWorth(config)#key chain MYCHAIN
Fort Worth#configure terminal
FortWorth(config)#interface serial 0/0.1
FortWorth(config-subif)#ip authentication mode eigrp 10 md5
FortWorth(config-subif)#ip authentication key-chain eigrp 10 MYCHAIN
By having authentication on interfaces this will prevent malicious actors from attempting to spoof as another router and prevent man-in-the-middle style attacks. This protects sensitive information from being leaked. In addition EIGRP will also support HMAC-SHA256 authentication which can be configured by removing lines 3 and 4 above and using the line “authentication mode hmac-sha-256 10 password1.” This will enable this type of authentication.
This will conclude the distance vector interior routing protocols. We took a look at the limited RIPv2 protocol and Cisco’s hybrid EIGRP protocol. The next blog in the series will talk about the Link-State protocols that are used inside of networks.