■ Configure RSVP MD5 authentication to provide hop-by-hop security.
See “Configuring RSVP MD5 Authentication” on page 287.
■ Configure fast reroute extensions to RSVP-TE to create a bypass tunnel.
See “Configuring RSVP-TE Fast Rerouting with RSVP-TE Bypass Tunnels” on
page 288.
■ Configure RSVP-TE peers to exchange hello messages and establish a hello
adjacency.
See “Configuring RSVP-TE Hello Messages to Determine Peer Reachability” on
page 291.
■ Configure RSVP-TE graceful restart to enable routers to maintain MPLS forwarding
state when a link or node failure occurs.
See “Configuring RSVP-TE Graceful Restart” on page 292.
■ Configure the exchange of RSVP-TE node hellos on all RSVP-TE interfaces.
See “Configuring RSVP-TE Hellos Based on Node IDs” on page 293.
■ Configure the BFD Protocol for RSVP-TE.
See “Configuring the BFD Protocol for RSVP-TE” on page 294.
Configuring RSVP MD5 Authentication
RSVP MD5 authentication provides hop-by-hop security against message spoofing
and replay attacks. When authentication is configured, RSVP embeds an integrity
object within secure cleartext RSVP messages sent between peers. The integrity
object includes a key ID unique to the sender, a message sequence number, and
keyed message digest. These attributes enable verification of both packet content
and sender.
For all potential RSVP peers, you configure the same key on the MPLS neighbor major
interfaces, and then enable RSVP authentication on each of these interfaces. When
you enable RSVP authentication on an interface, RSVP creates a security association
that includes the key, key ID, hash algorithm, and other associated attributes. Each
sender and receiver pair maintains the security association for their shared key.
NOTE: You must enable authentication on both ends of an RSVP interface to protect
the link. Failure to do so can prevent tunnels through the interface from coming up.
Thereafter, RSVP messages sent by a router through the secured interface include
an integrity object that contains a key ID for the security association and an MD5
message digest of the message contents. To protect against message replay attacks,
the sending interface also places a sequence number in the integrity object. Each
sequence number is a unique, monotonically increasing number.
The secured interface expects each received RSVP message to include an integrity
object. The interface drops all RSVP messages that do not contain the object.
Configuring RSVP MD5 Authentication ■ 287
Chapter 3: Configuring MPLS
To Next Page
Loading...
Need help?
General
