Allowing RIPv2 messages between interfaces (9.x)

Security Gateway Articles and How to's
Locked
Peter
Posts: 636
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Allowing RIPv2 messages between interfaces (9.x)

Post by Peter » 30 Nov 2011, 06:58

This How-to applies to:
  • Clavister Security Gateway version 9.x and 10.x
Description:

The Routing Information Protocol (RIP) is a distance-vector routing protocol, which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and used to deprecate inaccessible, inoperable, or otherwise undesirable routes in the selection process. RIPv2 uses UDP destination port 520.

In an effort to avoid unnecessary load on hosts that do not participate in routing, RIPv2 multicasts the entire routing table to all adjacent routers at the address 224.0.0.9, as opposed to RIPv1 which uses broadcast. Unicast addressing is still allowed for special applications.

Benefits:

You can use the Clavister Security gateway to allow RIPv2 routers placed on separated physical interfaces to exchange multicast routing messages.

IP settings:

In order to allow multicast messages to be forwarded we must change the ‘Multicast TTL Min’ value in the Clavister security gateway. By default multicast messages with TTL values lower than 3 will be dropped. This needs to be changed to 1.
Pic-1.png
Pic-1.png (45.82 KiB) Viewed 2656 times
Rule setup:

1. Create two combined Multiplex SAT-Allow rules for respective RIPv2 routers. In this example we have two RIPv2 routers placed on the interfaces External-Internet and Internal-Network.
2. Let´s start by creating rules for our primary router located on the ‘Internal-Network’ interface. The router sends multicast messages to 224.0.0.9 which should be received by a router located on the External-Internet interface. The first rule in this example is a multiplex SAT rule that forwards the router exchange traffic destined to address 224.0.0.9, which is the RIPv2 multicast address to find adjacent routers and exchange routing tables. Create a multiplex SAT rule from the router that sends the multicast messages. Follow the configuration image and make sure that the destination address is set to 224.0.0.9. Change the interfaces and source IP to the corresponding router IP in your configuration.
Pic-2.png
Pic-2.png (26.96 KiB) Viewed 2656 times
3. Now we need to go to the Multiplex SAT tab to tell the security gateway where to forward the messages that we receive from the RIPv2 router on the Internal-Network interface in this example. Go to the Multiplex SAT tab and select the appropriate interface. In this example we want to forward the messages to the ‘External-Internet’ interface. We will select the External-Internet interface and click on the add button.
Pic-3.png
Pic-3.png (22.22 KiB) Viewed 2656 times
Make sure to uncheck the ‘Multicast traffic must have been requested using IGMP before it is forwarded’ check-box. We do not want to create additional IGMP rules in order to forward the RIPv2 traffic.
4. Now we have finished the Multiplex SAT rule. It is necessary to combine the multiplex SAT with an ‘Allow’ rule. Simply right click on the multiple SAT rule to clone it, then change action to ‘Allow’ in order to achieve this. Nothing else needs to be changed.
5. Create two more rules in the opposite direction from the interface External-Internet to Internal-Network following steps 2 to 4.
6. When you are done the rule section should look like this.
Pic-4.png
Pic-4.png (21.7 KiB) Viewed 2656 times
By following this example your RIPv2 routers will be able to exchange their routing tables when they are located on separate interfaces on the Clavister security gateway. The Clavister security gateway will receive the multicast message and forward it to the corresponding interface.

Note: This example is based on version 9.x, but it is also possible to archive in version 8.x as long as you have a version with support for SAT Multiplex rules.

Locked