RIP Overview

The Routing Information Protocol (RIP) uses broadcast UDP data packets to exchange
routing information. Cisco software sends routing information updates every 30
seconds, which is termed advertising. If a device does not receive an update from
another device for 180 seconds or more, the receiving device marks the routes served
by the nonupdating device as unusable. If there is still no update after 240 seconds, the
device removes all routing table entries for the nonupdating device.

A device that is running RIP can receive a default network via an update from another
device that is running RIP, or the device can source the default network using RIP. In
both cases, the default network is advertised through RIP to other RIP neighbors.

The Cisco implementation of RIP Version 2 (RIPv2) supports plain text and message
digest algorithm 5 (MD5) authentication, route summarization, classless interdomain
routing (CIDR), and variable-length subnet masks (VLSMs).

RIP Routing Updates

The Routing Information Protocol (RIP) sends routing-update messages at regular
intervals and when the network topology changes. When a device receives a RIP routing
update that includes changes to an entry, the device updates its routing table to reflect
the new route. The metric value for the path is increased by 1, and the sender is
indicated as the next hop. RIP devices maintain only the best route (the route with the
lowest metric value) to a destination. After updating its routing table, the device
immediately begins transmitting RIP routing updates to inform other network devices
of the change. These updates are sent independently of the regularly scheduled updates
that RIP devices send.

RIP Routing Metric

The Routing Information Protocol (RIP) uses a single routing metric to measure the
distance between the source and the destination network. Each hop in a path from the
source to the destination is assigned a hop-count value, which is typically 1. When a
device receives a routing update that contains a new or changed destination network
entry, the device adds 1 to the metric value indicated in the update and enters the
network in the routing table. The IP address of the sender is used as the next hop. If an
interface network is not specified in the routing table, it will not be advertised in any
RIP update.

Authentication in RIP
The Cisco implementation of the Routing Information Protocol (RIP) Version 2 (RIPv2)
supports authentication, key management, route summarization, classless interdomain
routing (CIDR), and variable-length subnet masks (VLSMs).

By default, the software receives RIP Version 1 (RIPv1) and RIPv2 packets, but sends
only RIPv1 packets. You can configure the software to receive and send only RIPv1
packets. Alternatively, you can configure the software to receive and send only RIPv2
packets. To override the default behavior, you can configure the RIP version that an
interface sends. Similarly, you can also control how packets received from an interface
are processed.

RIPv1 does not support authentication. If you are sending and receiving RIP v2 packets,
you can enable RIP authentication on an interface.

The key chain determines the set of keys that can be used on the interface.
Authentication, including default authentication, is performed on that interface only if a
key chain is configured. For more information on key chains and their configuration, see
the “Managing Authentication Keys” section in the “Configuring IP Routing Protocol-
Independent Features” chapter in the Cisco IOS IP Routing: Protocol-Independent
Configuration Guide.

Cisco supports two modes of authentication on an interface on which RIP is enabled:

plain-text authentication and message digest algorithm 5 (MD5) authentication. Plain-
text authentication is the default authentication in every RIPv2 packet.

Note Do not use plain text authentication in RIP packets for security purposes,
because the unencrypted authentication key is sent in every RIPv2 packet. Use
plain-text authentication when security is not an issue; for example, you can
use plain-text authentication to ensure that misconfigured hosts do not
participate in routing.

Exchange of Routing Information

Routing Information Protocol (RIP) is normally a broadcast protocol, and for RIP
routing updates to reach nonbroadcast networks, you must configure the Cisco software
to permit this exchange of routing information.

To control the set of interfaces with which you want to exchange routing updates, you
can disable the sending of routing updates on specified interfaces by configuring
the passive-interface router configuration command.
You can use an offset list to increase increasing incoming and outgoing metrics to routes
learned via RIP. Optionally, you can limit the offset list with either an access list or an
interface.

Routing protocols use several timers that determine variables such as the frequency of
routing updates, the length of time before a route becomes invalid, and other
parameters. You can adjust these timers to tune routing protocol performance to better
suit your internetwork needs. You can make the following timer adjustments:

• The rate (time, in seconds, between updates) at which routing updates are sent

• The interval of time, in seconds, after which a route is declared invalid

• The interval, in seconds, during which routing information about better paths is
suppressed

• The amount of time, in seconds, that must pass before a route is removed from
the routing table

• The amount of time for which routing updates will be postponed

You can adjust the IP routing support in the Cisco software to enable faster convergence
of various IP routing algorithms, and hence, cause quicker fallback to redundant
devices. The total effect is to minimize disruptions to end users of the network in
situations where quick recovery is essential

In addition, an address family can have timers that explicitly apply to that address
family (or Virtual Routing and Forwarding [VRF]) instance). The timers-
basic command must be specified for an address family or the system defaults for
the timers-basic command are used regardless of the timer that is configured for RIP
routing. The VRF does not inherit the timer values from the base RIP configuration. The
VRF will always use the system default timers unless the timers are explicitly changed
using the timers-basic command.

RIP Route Summarization

Summarizing routes in RIP Version 2 improves scalability and efficiency in large
networks. Summarizing IP addresses means that there is no entry for child routes
(routes that are created for any combination of the individual IP addresses contained
within a summary address) in the RIP routing table, reducing the size of the table and
allowing the router to handle more routes.

Summary IP address functions more efficiently than multiple individually advertised IP

routes for the following reasons:

• The summarized routes in the RIP database are processed first.

 • Any associated child routes that are included in a summarized route are skipped
as RIP looks through the routing database, reducing the processing time
required. Cisco routers can summarize routes in two ways:

• Automatically, by summarizing subprefixes to the classful network boundary

when crossing classful network boundaries (automatic summary).

Note
Automatic summary is enabled by default.

• As specifically configured, advertising a summarized local IP address pool on the

specified interface (on a network access server) so that the address pool can be
provided to dialup clients.

When RIP determines that a summary address is required in the RIP database, a
summary entry is created in the RIP routing database. As long as there are child routes
for a summary address, the address remains in the routing database. When the last child
route is removed, the summary entry also is removed from the database. This method of
handling database entries reduces the number of entries in the database because each
child route is not listed in an entry, and the aggregate entry itself is removed when there
are no longer any valid child routes for it.

RIP Version 2 route summarization requires that the lowest metric of the "best route" of
an aggregated entry, or the lowest metric of all current child routes, be advertised. The
best metric for aggregated summarized routes is calculated at route initialization or
when there are metric modifications of specific routes at advertisement time, and not at
the time the aggregated routes are advertised.

The ip summary-address rip routerconfiguration command causes the router to

summarize a given set of routes learned via RIP Version 2 or redistributed into RIP
Version 2. Host routes are especially applicable for summarization.
See the "Route Summarization Example" section at the end of this chapter for examples
of using split horizon.
You can verify which routes are summarized for an interface using
the show ip protocols EXEC command. You can check summary address entries in the
RIP database. These entries will appear in the database only if relevant child routes are
being summarized. To display summary address entries in the RIP routing database
entries if there are relevant routes being summarized based upon a summary address,
use the show ip rip database command in EXEC mode. When the last child route for a
summary address becomes invalid, the summary address is also removed from the
routing table.

Split Horizon Mechanism

Normally, devices that are connected to broadcast-type IP networks and that use
distance-vector routing protocols employ the split horizon mechanism to reduce the
possibility of routing loops. The split horizon mechanism blocks information about
routes from being advertised by a device out of any interface from which that
information originated. This behavior usually optimizes communications among
multiple devices, particularly when links are broken. However, with nonbroadcast
networks, such as Frame Relay and the Switched Multimegabit Digital System (SMDS),
situations can arise for which this behavior is less than ideal. In such situations, you may
want to disable split horizon with the Routing Information Protocol (RIP).

If an interface is configured with secondary IP addresses and split horizon is enabled,

updates might not be sourced by the secondary address. If split horizon is enabled, one
routing update is sourced per network number.

Split horizon is not disabled by default for interfaces using any of the X.25
encapsulations. For all other encapsulations, split horizon is enabled by default.

Interpacket Delay for RIP Updates

By default, the software adds no delay between packets in a multiple-packet RIP update
being sent. If you have a high-end router sending to a low-speed router, you might want
to add such interpacket delay to RIP updates, in the range of 8 to 50 milliseconds.

RIP Optimization over WAN Circuits

Devices are used on connection-oriented networks to allow potential connectivity to
many remote destinations. Circuits on the WAN are established on demand and are
relinquished when the traffic subsides. Depending on the application, the connection
between any two sites for user data could be short and relatively infrequent.

Source IP Addresses of RIP Routing Updates

By default, the Cisco software validates the source IP address of incoming Routing
Information Protocol (RIP) routing updates. If the source address is not valid, the
software discards the routing update. You must disable this functionality if you want to
receive updates from a device that is not part of this network. However, disabling this
functionality is not recommended under normal circumstances.

Neighbor Router Authentication

You can prevent your router from receiving fraudulent route updates by configuring
neighbor router authentication. When configured, neighbor authentication occurs
whenever routing updates are exchanged between neighbor routers. This
authentication ensures that a router receives reliable routing information from a
trusted source.
Without neighbor authentication, unauthorized or deliberately malicious routing
updates could compromise the security of your network traffic. A security compromise
could occur if an unfriendly party diverts or analyzes your network traffic. For example,
an unauthorized router could send a fictitious routing update to convince your router to
send traffic to an incorrect destination. This diverted traffic could be analyzed to learn
confidential information about your organization or merely used to disrupt your
organization’s ability to effectively communicate using the network. Neighbor
authentication prevents any such fraudulent route updates from being received by your
router.

When neighbor authentication has been configured on a router, the router authenticates
the source of each routing update packet that it receives. This is accomplished by the
exchange of an authenticating key (sometimes referred to as a password) that is known
to both the sending and the receiving router.

There are two types of neighbor authentication used: plain text authentication and
Message Digest Algorithm Version 5 (MD5) authentication. Both forms work in the
same way, with the exception that MD5 sends a "message digest" instead of the
authenticating key itself. The message digest is created using the key and a message, but
the key itself is not sent, preventing it from being read while it is being transmitted.
Plain text authentication sends the authenticating key itself over the wire.

Note Note that plain text authentication is not recommended for use as part of your
security strategy. Its primary use is to avoid accidental changes to the routing
infrastructure. Using MD5 authentication, however, is a recommended security
practice.

In plain text authentication, each participating neighbor router must share an

authenticating key. This key is specified at each router during configuration. Multiple
keys can be specified with some protocols; each key must then be identified by a key
number.

In general, when a routing update is sent, the following authentication sequence occurs:

1. A router sends a routing update with a key and the corresponding key number
to the neighbor router. In protocols that can have only one key, the key
number is always zero. The receiving (neighbor) router checks the received
key against the same key stored in its own memory.

2. If the two keys match, the receiving router accepts the routing update packet.
If the two keys do not match, the routing update packet is rejected.
MD5 authentication works similarly to plain text authentication, except that the key is
never sent over the wire. Instead, the router uses the MD5 algorithm to produce a
"message digest" of the key (also called a "hash"). The message digest is then sent
instead of the key itself. This ensures that nobody can eavesdrop on the line and learn
keys during transmission.

Another form of neighbor router authentication is to configure key management using

key chains. When you configure a key chain, you specify a series of keys with lifetimes,
and the Cisco IOS software rotates through each of these keys. This decreases the
likelihood that keys will be compromised. To find complete configuration information
for key chains, refer to the "Managing Authentication Keys" section in the Configuring IP
Routing Protocol-Independent Features module of the Cisco IOS IP Routing: Protocol-
Independent Configuration Guide.

IP-RIP Delay Start Overview

The IP-RIP Delay Start feature is used on Cisco devices to delay the initiation of Routing
Information Protocol Version 2 (RIPv2) neighbor sessions until the network
connectivity between the neighbor devices is fully operational, thereby ensuring that
the sequence number of the first message digest algorithm 5 (MD5) packet that the
device sends to the non-Cisco neighbor device is 0. The default behavior for a device
configured to establish RIPv2 neighbor sessions with a neighbor device using MD5
authentication is to start sending MD5 packets when the physical interface is up.

The IP-RIP Delay Start feature is often used when a Cisco device is configured to
establish a RIPv2 neighbor relationship using MD5 authentication with a non-Cisco
device over a Frame Relay network. When RIPv2 neighbors are connected over Frame
Relay, it is possible for the serial interface connected to the Frame Relay network to be
up while the underlying Frame Relay circuits are not yet ready to transmit and receive
data. When a serial interface is up and the Frame Relay circuits are not yet operational,
any MD5 packets that the device attempts to transmit over the serial interface are
dropped. When MD5 packets are dropped because the Frame Relay circuits over which
the packets need to be transmitted are not yet operational, the sequence number of the
first MD5 packet received by the neighbor device after the Frame Relay circuits become
active will be greater than 0. Some non-Cisco devices will not allow an MD5-
authenticated RIPv2 neighbor session to start when the sequence number of the first
MD5 packet received from the other device is greater than 0.

The differences in vendor implementations of MD5 authentication for RIPv2 are

probably a result of the ambiguity of the relevant RFC (RFC 2082) with respect to
packet loss. RFC 2082 suggests that devices should be ready to accept either a sequence
number of 0 or a sequence number higher than the last sequence number received. For
more information about MD5 message reception for RIPv2, see section 3.2.2 of RFC
2082 at the following url: http://www.ietf.org/rfc/rfc2082.txt.

The IP-RIP Delay Start feature is supported over other interface types such as Fast
Ethernet and Gigabit Ethernet.

Cisco devices allow an MD5-authenticated RIPv2 neighbor session to start when the
sequence number of the first MD5 packet received from the other device is greater than
0. If you are using only Cisco devices in your network, you do not need to use the IP-RIP
Delay Start feature.

Offset-list
An offset list is the mechanism for increasing incoming and outgoing metrics to routes
learned via RIP. This is done to provide a local mechanism for increasing the value of
routing metrics. Optionally, you can limit the offset list with either an access list or an
interface.

Timers
Routing protocols use several timers that determine such variables as the frequency of
routing updates, the length of time before a route becomes invalid, and other
parameters. You can adjust these timers to tune routing protocol performance to better
suit your internetwork needs. You can make the following timer adjustments:

• The rate (time in seconds between updates) at which routing updates are sent

• The interval of time (in seconds) after which a route is declared invalid

• The interval (in seconds) during which routing information regarding better
paths is suppressed

• The amount of time (in seconds) that must pass before a route is removed from
the routing table

• The amount of time for which routing updates will be postponed

It also is possible to tune the IP routing support in the software to enable faster
convergence of the various IP routing algorithms, and, hence, quicker fallback to
redundant routers. The total effect is to minimize disruptions to end users of the
network in situations where quick recovery is essential.