MPLS and RSVP
7450 ESS MPLS Guide Page 45
MD5 Authentication of RSVP Interface
When enabled on an RSVP interface, authentication of RSVP messages operates in both
directions of the interface.
A node maintains a security association with its neighbors for each authentication key. The
following items are stored in the context of this security association:
• The HMAC-MD5 authentication algorithm.
• Key used with the authentication algorithm.
• Lifetime of the key. A key is user-generated key using a third party software/hardware and
enters the value as static string into CLI configuration of the RSVP interface. The key will
continue to be valid until it is removed from that RSVP interface.
• Source Address of the sending system.
• Latest sending sequence number used with this key identifier.
The RSVP sender transmits an authenticating digest of the RSVP message, computed using the
shared authentication key and a keyed-hash algorithm. The message digest is included in an
Integrity object which also contains a Flags field, a Key Identifier field, and a Sequence Number
field. The RSVP sender complies to the procedures for RSVP message generation in RFC 2747,
RSVP Cryptographic Authentication.
An RSVP receiver uses the key together with the authentication algorithm to process received
RSVP messages.
When a PLR node switches the path of the LSP to a bypass LSP, it does not send the Integrity
object in the RSVP messages over the bypass tunnel. If an integrity object is received from the MP
node, then the message is discarded since there is no security association with the next-next-hop
MP node.
The MD5 implementation does not support the authentication challenge procedures in RFC 2747.
Configuring Authentication using Keychains
The use of authentication mechanism is recommended to protect against malicious attack on the
communications between routing protocol neighbors. These attacks could aim to either disrupt
communizations or to inject incorrect routing information into the systems routing table. The use
of authentication keys can help to protect the routing protocols from these types of attacks.
Within RSVP, authentication must be explicitly configured through the use of the authentication
keychain mechanism. This mechanism allows for the configuration of authentication keys and
allows the keys to be changed without affecting the state of the protocol adjacencies.
To Next Page
Loading...
