RIPv1, v2 and OSFP exploits?

[Curt Wilson <netw3 () NETW3 COM>]

Greetings. I apologize in advance if this is not the 
proper forum for this message.

I am currently researching security problems and 
intrusion detection for network devices and routing 
protocols. I've heard multiple references about RIP 
(especially v1) being wide open to route spoofing 
attacks, but have not actually seen detailed reference 
to these attacks in the wild. If anyone has any 
reference material this would be excellent. I am 
mostly looking for detailed material such as tcpdump 
or packet traces as well as screen captures of 
command line tools use to implement the spoof (for 
instance, nemesis-rip).

Since OSPF appears to have two options for 
authentication information (plaintext key and MD5), I 
am wondering if anyone knows to what degree the 
plaintext keys are chosen over the MD5. Perhaps 
some are concerned about a possible performance 
hit with the MD5 option. I'm trying to learn if OSPF 
passes the key in each HELLO message it sends to 
other routers, and would love to obtain some packet 
traces of OSPF traffic (sanitized, of course) if you 
have any. 

The nemesis-ospf tool allows detailed packet crafting 
of an OSPF packet, but my knowledge of OSPF is 
not detailed enough to construct one on the fly. If I 
had some packet traces to work with I could perhaps 
gain further insight and test the tool with gated on my 
linux boxes in my home network.

My knowledge of routing protocols is limited, so 
please excuse any errors in my reasoning process.

Thanks for any assistance.
Curt Wilson
netw3.com Consulting
www.netw3.com