•
Configuring forward entry on the PCE-initiated point-to-multipoint LSPs
•
Configuring forward entry on the router pointing to a provisioned LSP.
Auto-Bandwidth and PCE-Controlled LSP
Starting in Junos OS Release 14.2R4, support of auto-bandwidth is provided for
PCE-controlled LSPs. In earlier releases, the auto-bandwidth option did not apply to
PCE-controlled LSPs, although LSPs under the control of auto-bandwdith and
constraint-based routing could coexist with PCE-controlled LSPs. The statistics collection
for auto-bandwidth was taking effect only when the control mode of a PCE-controlled
LSP changes from external to local. This was happening in cases such as no connectivity
to a PCE or when a PCE returns delegation of LSPs back to the PCC.
TCP-MD5 Authentication for PCEP Sessions
A stateful PCE server automates the creation of traffic engineering paths across the
network, increasing network utilization and enabling a customized programmable
networking experience with the use of PCEP communication with a PCC. A PCC sends
LSP reports to a PCE server, and the PCE updates or provisions LSPs back to the PCC.
The data sent over a PCEP session is crucial for a PCE server to perform external path
computing. As a result, an attack on the PCEP communication can disrupt network
services. If altered PCEP messages are sent to a PCC, inappropriate LSPs can be set up.
Similarly, if altered PCEP messages are sent to a PCE, an incorrect view of the network
is learned by the PCE.
Considering the significance of the PCEP communication between a PCE and PCC in
executing the PCE functionalities effectively, Junos OS Release 16.1 introduces the feature
of securing a PCEP session using TCP-MD5 authentication as per RFC 5440. This feature
protects the communication between a PCE and PCC over a PCEP session, which might
be subject to an attack, and can disrupt network services.
To enable the MD5 security mechanism for a PCEP session, it is recommended that you
define and bind the MD5 authentication key at the [edit protocols pcep pce pce-id]
hierarchy level for a PCEP session. You can, however, also use a predefined keychain
from the [edit security authentication-key-chains key-chain] hierarchy level to secure a
PCEP session. In this case, you should bind the predefined keychain into the PCEP session
at the [edit protocols pcep pce pce-id] hierarchy level.
The following configuration is executed on the PCC to establish a secure PCEP session
with a PCE:
•
Using MD5 authentication key:
[edit protocols pcep pce pce-id]
user@PCC# set authentication-key key
•
Using predefined authentication keychain:
[edit protocols pcep pce pce-id]
user@PCC# set authentication-key-chain key-chain
user@PCC# set authentication-algorithm md5
705Copyright © 2017, Juniper Networks, Inc.
Chapter 23: Configuring Path Computation Element Protocol (PCEP)
To Next Page
Loading...
Need help?
General
