101
0/228
Loading content...
By the early 1990s, RIP (now called RIPv1) was showing its age. The Internet was evolving rapidly, and RIPv1's design assumptions from the early 1980s no longer matched reality. Networks needed VLSM (Variable Length Subnet Masks) for efficient address allocation. Security concerns demanded authentication. The growth of networks made broadcast storms from RIP updates increasingly problematic.
Rather than abandon RIP entirely, the IETF chose to modernize it. RIPv2, specified in RFC 1723 (1994) and updated in RFC 2453 (1998), addressed RIPv1's most pressing limitations while maintaining backward compatibility and operational simplicity. The result was a protocol that bridged the gap between RIPv1's simplicity and the demands of modern networks.
This page explores each enhancement in depth, explaining not just what changed, but why each change was necessary and how it works at the packet level.
By the end of this page, you will understand RIPv2's critical enhancements: subnet mask transmission (CIDR/VLSM support), authentication mechanisms (plain text and MD5), multicast updates, route tagging for external route identification, next-hop specification, and the path to RIPng for IPv6.
Before appreciating RIPv2's improvements, we must understand what was wrong with RIPv1. Each limitation addressed by RIPv2 emerged from real operational problems.
The VLSM Crisis
RIPv1 transmits network addresses without subnet masks. Receiving routers must infer the mask based on the address class:
RIPv1 route entry:
IP Address: 10.1.2.0
Mask: (not transmitted!)
Receiving router thinks:
10.x.x.x is Class A → mask must be 255.0.0.0
Installs route as: 10.0.0.0/8
But sender meant: 10.1.2.0/24!
This made it impossible to use subnets of different sizes in the same network (VLSM) or to properly implement CIDR (Classless Inter-Domain Routing).
| Limitation | Operational Impact | RIPv2 Solution |
|---|---|---|
| No subnet mask in updates | VLSM impossible, CIDR broken | Subnet mask field added |
| No authentication | Anyone can inject routes | Plain text and MD5 auth |
| Broadcast-only updates | All hosts process RIP packets | Multicast address 224.0.0.9 |
| No route tagging | Can't identify external routes | Route tag field |
| No next-hop field | Suboptimal routing in NBMA networks | Explicit next-hop specification |
| Wasteful 'Must Be Zero' fields | 20 bytes per entry unused | Fields repurposed productively |
The Security Void
RIPv1 has no authentication whatsoever. Any device on the network can send RIP updates, and routers will accept them. This enables trivial attacks:
Attack: Rogue device sends fake RIP update
"I can reach 0.0.0.0/0 with metric 1!" (default route)
Result:
All traffic destined for unknown networks goes to attacker
Man-in-the-middle with single broadcast packet
The Broadcast Problem
RIPv1 sends updates to the broadcast address 255.255.255.255. On an Ethernet segment:
In large networks with many hosts and few routers, this becomes significant overhead.
RIPv1's limitations are severe enough that it should never be deployed in new networks. The lack of VLSM support alone makes it incompatible with modern IP addressing practices. If you encounter RIPv1, prioritize migration to RIPv2 or another protocol.
The single most important enhancement in RIPv2 is the inclusion of subnet masks in route entries. This enables Variable Length Subnet Masking (VLSM) and Classless Inter-Domain Routing (CIDR)—essential capabilities for modern networks.
The Packet Format Change
RIPv2 repurposes RIPv1's "Must Be Zero" fields:
123456789101112131415161718192021222324252627
# RIPv1 Route Entry (20 bytes)+--------+--------+--------+--------+| Address Family | Must Be Zero | ← Wasted!| 2 bytes | 2 bytes |+--------+--------+--------+--------+| IP Address (4 bytes) |+--------+--------+--------+--------+| Must Be Zero (4 bytes) | ← Wasted!+--------+--------+--------+--------+| Must Be Zero (4 bytes) | ← Wasted!+--------+--------+--------+--------+| Metric (4 bytes) |+--------+--------+--------+--------+ # RIPv2 Route Entry (20 bytes) - same size, more useful!+--------+--------+--------+--------+| Address Family | Route Tag | ← Now useful!| 2 bytes | 2 bytes |+--------+--------+--------+--------+| IP Address (4 bytes) |+--------+--------+--------+--------+| Subnet Mask (4 bytes) | ← VLSM support!+--------+--------+--------+--------+| Next Hop (4 bytes) | ← Optimization!+--------+--------+--------+--------+| Metric (4 bytes) |+--------+--------+--------+--------+How VLSM Works with RIPv2
With explicit subnet masks, networks can use different prefix lengths:
RIPv2 Update from R1:
Entry 1: 10.1.1.0 / 255.255.255.0 (10.1.1.0/24) - LAN segment
Entry 2: 10.1.2.0 / 255.255.255.240 (10.1.2.0/28) - Small office
Entry 3: 10.1.3.128 / 255.255.255.192 (10.1.3.128/26) - Server farm
Entry 4: 10.2.0.0 / 255.255.0.0 (10.2.0.0/16) - Summarized region
Receiving router installs each with correct mask:
10.1.1.0/24 via R1
10.1.2.0/28 via R1
10.1.3.128/26 via R1
10.2.0.0/16 via R1
CIDR Aggregation Support
CIDR allows route summarization beyond classful boundaries:
Without CIDR (RIPv1):
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
→ 4 route entries
With CIDR (RIPv2):
192.168.0.0/22 (covers all four /24s)
→ 1 route entry, 75% reduction!
Some implementations auto-summarize routes at classful boundaries by default. This can cause problems with discontiguous networks (same Class A/B/C network in multiple locations). Disable auto-summarization ('no auto-summary' in Cisco IOS) when using VLSM with RIPv2.
RIPv2 introduces authentication to verify that routing updates come from trusted sources. Two authentication methods are defined: plain text (simple password) and cryptographic (MD5 hash).
How Authentication Uses the First Route Entry
To maintain backward compatibility with the 20-byte route entry format, authentication information is carried in a special "authentication entry" that replaces the first route entry:
1234567891011121314151617181920212223242526272829303132333435363738
# RIPv2 packet with authentication:+------------------------------------------+| RIP Header (4 bytes) |+------------------------------------------+| Authentication Entry (20 bytes) | ← Replaces first route entry+------------------------------------------+| Route Entry 2 (20 bytes) |+------------------------------------------+| Route Entry 3 (20 bytes) |+------------------------------------------+| ... up to 24 routes | ← Only 24 routes now (was 25)+------------------------------------------+ # Authentication Entry (Plain Text):+--------+--------+--------+--------+| 0xFFFF | Auth Type = 2 | ← 0xFFFF signals auth entry| 2 bytes | 2 bytes |+--------+--------+--------+--------+| Password (16 bytes) || Plain text, null-padded |+--------+--------+--------+--------+ # Authentication Entry (MD5):+--------+--------+--------+--------+| 0xFFFF | Auth Type = 3 | ← Type 3 = Keyed MD5| 2 bytes | 2 bytes |+--------+--------+--------+--------+| Packet Length | Key ID (1) || 2 bytes | |+--------+--------+--------+--------+| Auth Data Len | Sequence Number || 1 byte | 4 bytes |+--------+--------+--------+--------+| Reserved (must be zero) |+--------+--------+--------+--------+ # MD5 Digest is appended AFTER the packet (not in authentication entry)# Digest covers: RIP header + Auth entry + All route entriesPlain Text Authentication (Type 2)
The simplest form of authentication includes a 16-character password in clear text:
Configuration:
Key = "mysecretpassword"
Packet includes:
Auth entry with password in plain text
Receiver checks:
Does password match configured key? Accept or reject.
Security level: MINIMAL
Anyone sniffing network sees password
Better than nothing, but barely
Use only on isolated management networks
MD5 Cryptographic Authentication (Type 3)
MD5 authentication provides meaningful security:
Operation:
1. Sender creates packet with routes
2. Sender calculates MD5 hash:
Hash = MD5(packet + secret_key)
3. Sender appends hash to packet
4. Receiver recalculates expected hash:
Expected = MD5(received_packet + secret_key)
5. Receiver compares calculated hash with received hash
6. If match: accept. If mismatch: reject.
Security benefits:
- Secret key never transmitted
- Packet modification detected
- Replay attacks prevented (via sequence numbers)
123456789101112131415161718192021222324252627282930
# Cisco IOS Configuration # Plain text authentication (NOT RECOMMENDED)interface FastEthernet0/0 ip rip authentication mode text ip rip authentication key-chain RIPKEYS key chain RIPKEYS key 1 key-string mysecretpassword # MD5 authentication (RECOMMENDED)interface FastEthernet0/0 ip rip authentication mode md5 ip rip authentication key-chain RIPKEYS key chain RIPKEYS key 1 key-string MyStr0ngK3y! accept-lifetime 00:00:00 Jan 1 2024 00:00:00 Jan 1 2025 send-lifetime 00:00:00 Jan 1 2024 00:00:00 Jan 1 2025 key 2 key-string N3wK3yR0tat10n! accept-lifetime 00:00:00 Dec 1 2024 00:00:00 Jan 1 2026 send-lifetime 00:00:00 Jan 1 2025 00:00:00 Jan 1 2026 # Key rotation:# - Key 1 valid through 2024# - Key 2 starts accepting Dec 2024, starts sending Jan 2025# - Smooth transition without service interruptionWhile MD5 has known weaknesses for general cryptographic purposes, it remains acceptable for RIP authentication because the attack vector (routing update injection) requires network access anyway. Never use plain text authentication in production. For higher security requirements, consider OSPF with SHA authentication or completely authenticated network access.
RIPv2 changes from broadcast to multicast for sending updates, significantly reducing processing overhead on non-participating hosts.
The Multicast Address
RIPv2 uses the multicast address 224.0.0.9 for update transmission:
Address: 224.0.0.9
Name: RIP2 Routers
Scope: Link-local (TTL=1, not forwarded by routers)
IANA Assignment: Reserved for RIPv2
| Characteristic | RIPv1 (Broadcast) | RIPv2 (Multicast) |
|---|---|---|
| Destination Address | 255.255.255.255 | 224.0.0.9 |
| Layer 2 Address | ff:ff:ff:ff:ff:ff | 01:00:5e:00:00:09 |
| Switch Handling | Flood all ports | Flood or multicast-aware forwarding |
| NIC Processing | All NICs receive | Only subscribed NICs process |
| Host CPU Impact | All hosts interrupt | Only routers interrupt |
| Kernel Processing | All hosts process up to IP layer | Non-routers discard at NIC/driver |
How Multicast Reduces Overhead
Scenario: Ethernet segment with 100 hosts and 2 routers
RIPv1 (Broadcast):
- Update sent to 255.255.255.255
- Switch floods to all 100 ports
- All 100 NICs receive the frame
- All 100 hosts generate CPU interrupt
- All 100 kernels process IP packet
- 98 hosts discard (not RIP-enabled)
- 2 routers process RIP update
RIPv2 (Multicast):
- Update sent to 224.0.0.9
- Switch floods (unless IGMP snooping enabled)
- All NICs receive frame at layer 2
- 98 host NICs: MAC doesn't match subscription → discard in hardware
- 2 router NICs: MAC matches multicast group → process
- Only 2 routers generate interrupts and process
With IGMP Snooping:
Modern switches can inspect IGMP (Internet Group Management Protocol) joins and learn which ports have multicast subscribers:
With IGMP Snooping:
- Router R1 on port 5 subscribes to 224.0.0.9
- Router R2 on port 12 subscribes to 224.0.0.9
- Switch learns: 224.0.0.9 → ports 5, 12
When RIP update arrives:
- Switch sends only to ports 5 and 12
- 98 other ports never see the frame
- Maximum efficiency
12345678910111213141516171819
# Linux: Check if interface is subscribed to RIP multicast$ ip maddr show dev eth02: eth0 link 01:00:5e:00:00:09 ← Multicast MAC for 224.0.0.9 inet 224.0.0.9 ← RIPv2 multicast address inet 224.0.0.1 ← All Hosts # Cisco: Verify RIP is using multicastRouter# show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds Sending v2 updates to 224.0.0.9 ← Multicast confirmed # tcpdump: Capture RIPv2 multicast traffic$ tcpdump -i eth0 -nn 'udp port 520'14:23:45.123456 IP 192.168.1.1.520 > 224.0.0.9.520: RIPv2, Response, length: 24 # Wireshark filter for RIPv2rip && ip.dst == 224.0.0.9RIPv2 can be configured to send broadcasts instead of multicasts for compatibility with RIPv1 routers. Most implementations support version modes: 'version 1', 'version 2', 'version 1 2' (both). Use 'version 2' exclusively when all routers support it.
The Route Tag field in RIPv2 provides a mechanism to mark routes with arbitrary identifiers. This is primarily useful for distinguishing external routes (learned from other protocols) from internal routes.
Route Tag Field
Field: Route Tag
Size: 2 bytes (16 bits)
Range: 0-65535
Purpose: Administrator-defined route classification
Primary Use Case: Route Redistribution
When routes are redistributed from one routing protocol to another, the route tag can preserve information about the original source:
123456789101112131415161718192021222324252627282930313233
# Scenario: OSPF routes redistributed into RIP # Network topology:# OSPF Domain ←→ Border Router ←→ RIP Domain## Border router redistributes OSPF routes into RIP# Uses route tags to mark redistributed routes # Cisco configuration:router rip version 2 redistribute ospf 1 metric 5 route-map TAG_OSPF_ROUTES route-map TAG_OSPF_ROUTES permit 10 match ip address prefix-list ALL_ROUTES set tag 100 # Tag all OSPF routes with 100 ip prefix-list ALL_ROUTES permit 0.0.0.0/0 le 32 # Result in RIP updates:# Route Entry:# Network: 10.5.0.0# Mask: 255.255.0.0# Tag: 100 ← Indicates this came from OSPF# Metric: 5# Next Hop: 0.0.0.0 # Example tag conventions:# Tag 0: Native RIP routes# Tag 100-199: Routes from OSPF area 0# Tag 200-299: Routes from EIGRP# Tag 300-399: Static routes# Tag 1000+: Customer routes (ISP scenarios)Use Cases for Route Tags
1. Loop Prevention in Mutual Redistribution
Problem:
OSPF → RIP → OSPF creates route feedback loop
Route appears in both protocols, potentially with conflicting metrics
Solution:
Tag routes when redistributing from OSPF to RIP (tag = 100)
When redistributing from RIP to OSPF, filter out tag 100
Routes don't loop back to original source
2. Policy-Based Routing Selection
Scenario: ISP with multiple upstream providers
Routes from Provider A: tag 1000
Routes from Provider B: tag 2000
Policy:
Prefer Provider A for domestic traffic
Prefer Provider B for international
Implementation:
Filter based on tags in route selection
3. Aggregation Control
Scenario: Route summarization at borders
Tag 500: Do not summarize (critical routes)
Tag 0: Normal summarization OK
Border router:
If tag = 500: advertise specific route
Else: summarize as usual
| Tag Range | Typical Meaning | Usage |
|---|---|---|
| 0 | Native route | Originated within RIP domain |
| 1-99 | Administrative | Reserved for network operations |
| 100-199 | OSPF redistributed | Routes from OSPF domain |
| 200-299 | EIGRP redistributed | Routes from EIGRP domain |
| 300-399 | Static routes | Manually configured routes |
| 400-499 | BGP redistributed | Routes from BGP |
| 1000+ | Customer-specific | ISP customer route identification |
Route tags are only meaningful if consistently applied and documented. Create a tagging policy document defining what each tag range means in your network. Without documentation, tags become confusing rather than helpful.
The Next Hop field in RIPv2 allows a router to specify a different next-hop address than its own. This optimization prevents suboptimal routing in certain network configurations.
The Problem: Suboptimal Routing Without Next Hop
Scenario: R1, R2, and R3 share a common LAN segment. Only R3 has a connection to Network X.
Without Next Hop Field (RIPv1-style):
R3 advertises:
Network X, metric 1 (from address 192.168.1.3)
R2 receives, adds 1, advertises:
Network X, metric 2 (from address 192.168.1.2)
R1 receives both:
From R3: Network X, metric 1 → Install route via 192.168.1.3
From R2: Network X, metric 2 → Worse, ignore
R1's path to X: R1 → R3 → X ✓ Optimal!
BUT what if R1 doesn't receive R3's update directly?
Maybe R3's update is lost, or R1-R3 have connectivity issues
R1 might only learn from R2:
R1's routing table: Network X via R2 (192.168.1.2), metric 2
R1's path to X: R1 → R2 → R3 → X ✗ Suboptimal! Extra hop!
Packet goes: R1 → R2 → wait, R2 should send to R3 on SAME interface!
With Next Hop Field (RIPv2):
R2 advertises:
Network X, metric 2
Next Hop: 192.168.1.3 (R3's address!) ← KEY DIFFERENCE
R1 receives from R2:
Network X, metric 2, next hop 192.168.1.3
R1's routing table: Network X via 192.168.1.3, metric 2
R1's path to X: R1 → R3 → X ✓ Optimal path even via R2's update!
1234567891011121314151617181920212223242526272829303132333435
# Next Hop field interpretation: def process_route_entry(entry, source_address): """ Process a RIPv2 route entry, handling Next Hop field. """ network = entry.ip_address mask = entry.subnet_mask metric = entry.metric + 1 # Add cost of this hop next_hop = entry.next_hop # Next Hop field interpretation: # - 0.0.0.0: Use packet source as next hop (normal case) # - Other: Use specified address as next hop (optimization) if next_hop == "0.0.0.0": # Standard behavior: route via the advertising router actual_next_hop = source_address else: # Optimization: route via specified address # The specified address MUST be on same network as receiving interface actual_next_hop = next_hop # Validation: next hop must be reachable directly if not is_directly_connected(actual_next_hop): # Invalid next hop - fall back to source actual_next_hop = source_address log("Warning: Invalid next hop, using source address") install_route(network, mask, actual_next_hop, metric) # Example RIPv2 entry with next hop:# Entry: 10.5.0.0/16, next_hop=192.168.1.3, metric=1# Received from: 192.168.1.2# Result: Route to 10.5.0.0/16 via 192.168.1.3 (not .2!)The Next Hop field is particularly valuable in Non-Broadcast Multi-Access (NBMA) networks like Frame Relay. A hub-and-spoke topology might have all spokes learning routes from the hub, but traffic should go directly between spokes when possible. The Next Hop field enables this optimization.
RIPng (RIP next generation), specified in RFC 2080 (1997), adapts RIP for IPv6 networks. It maintains RIP's simplicity while accommodating IPv6's larger addresses and different protocol ecosystem.
Key Changes from RIPv2
| Characteristic | RIPv2 (IPv4) | RIPng (IPv6) |
|---|---|---|
| Address size | 32 bits (4 bytes) | 128 bits (16 bytes) |
| UDP port | 520 | 521 |
| Multicast address | 224.0.0.9 | ff02::9 |
| Authentication | In-packet (MD5) | Via IPsec (separate) |
| Subnet mask field | 4 bytes per entry | Prefix length (1 byte) |
| Route entry size | 20 bytes | 20 bytes (same!) |
| Next hop | Per-entry field | Separate RTE type |
| Maximum routes/packet | 25 (with auth: 24) | Variable (MTU-dependent) |
1234567891011121314151617181920212223242526272829303132333435
# RIPng uses IPv6 and a different port (UDP 521) # RIPng Header (4 bytes)+--------+--------+--------+--------+|Command |Version | Must Be Zero || 1 byte | 1 byte | 2 bytes |+--------+--------+--------+--------+ # RIPng Route Entry (20 bytes - same size as RIPv2!)+--------+--------+--------+--------+| || IPv6 Prefix (16 bytes) || || |+--------+--------+--------+--------+|Route Tag|Prefix Len| Metric || 2 bytes | 1 byte | 1 byte |+--------+--------+--------+--------+ # Note: 16-byte IPv6 address + 4 bytes metadata = 20 bytes# Elegant redesign maintains same entry size! # RIPng Next Hop Entry (special route entry)# Metric = 0xFF indicates this is a next-hop specification+--------+--------+--------+--------+| || Next Hop IPv6 Address (16 bytes) || || |+--------+--------+--------+--------+| 0x0000 | 0x00 | 0xFF || Route Tag = 0 |Len = 0 | Metric |+--------+--------+--------+--------+ # Subsequent route entries use this next hop until another is specifiedAuthentication in RIPng
RIPng takes a different approach to authentication. Instead of embedding authentication in the packet (like RIPv2's MD5), RIPng relies on IPsec for security:
RIPv2 approach:
Authentication data inside RIP packet
Specific to RIP protocol
Limited to MD5 hash
RIPng approach:
Use IPsec AH (Authentication Header) or ESP
Applies to all IPv6 traffic, not just RIP
Stronger algorithm support (SHA, etc.)
Key management via IKE
Advantage:
Security is consistent across all IPv6 protocols
No protocol-specific security code needed
Benefits from IPv6 security infrastructure investments
RIPng Use Cases
RIPng fills the same niche as RIPv2—simple routing for small networks—but in IPv6 environments:
1234567891011121314151617181920212223242526272829303132
# Cisco IOS RIPng Configuration ipv6 unicast-routing interface FastEthernet0/0 ipv6 address 2001:db8:1::1/64 ipv6 rip MYRIPNG enable interface FastEthernet0/1 ipv6 address 2001:db8:2::1/64 ipv6 rip MYRIPNG enable ipv6 router rip MYRIPNG poison-reverse timers 30 180 0 120 # Linux (quagga/frr) configurationrouter ripng network eth0 network eth1 route 2001:db8::/32 # VerificationRouter# show ipv6 ripRIP process "MYRIPNG", port 521, multicast-group FF02::9 Administrative distance is 120. Updates every 30 seconds, expire after 180 Router# show ipv6 rip databaseRIP database for "MYRIPNG"2001:DB8:1::/64, metric 1, installed2001:DB8:2::/64, metric 1, installedFor small networks transitioning to IPv6, running RIPv2 for IPv4 and RIPng for IPv6 provides protocol consistency. Both use the same concepts (distance vector, hop count, timers) making troubleshooting familiar even with the new protocol stack.
We've thoroughly examined how RIPv2 modernized the classic RIP protocol while maintaining its fundamental simplicity. Let's consolidate the key insights:
Module Complete: RIP Mastery
You have now completed the comprehensive study of the Routing Information Protocol. You understand:
This knowledge provides a solid foundation for understanding all routing protocols. The concepts of distance vectors, metrics, timers, and convergence apply equally to OSPF, EIGRP, BGP, and beyond.
Congratulations! You have mastered the Routing Information Protocol. You understand its operation from packet formats to convergence behavior, can configure and troubleshoot RIP deployments, and know when RIP is (and isn't) the right protocol choice. The next module will explore OSPF—a link-state protocol that addresses RIP's scalability limitations while introducing its own complexity.