MPLS Guide MPLS and RSVP-TE
3HE 18686 AAAB TQZZA © 2022 Nokia.
Use subject to Terms available at: www.nokia.com
41
• the lifetime of the key. A key is a user-generated key using third-party software
or hardware. The value is entered as a static string into the CLI configuration of
the RSVP interface. The key will continue to be valid until it is removed from that
RSVP interface.
• the source address of the sending system
• the latest sending sequence number used with this key identifier
The RSVP sender transmits an authenticating digest of the RSVP message,
computed using the shared authentication key and a keyed hash algorithm. The
message digest is included in an Integrity object that also contains a Flags field, a
Key Identifier field, and a Sequence Number field. The RSVP sender complies with
the procedures for RSVP message generation in RFC 2747, RSVP Cryptographic
Authentication.
An RSVP receiver uses the key together with the authentication algorithm to process
received RSVP messages.
If a point of local repair (PLR) node switches the path of the LSP to a bypass LSP, it
does not send the integrity object in the RSVP messages over the bypass tunnel. If
an integrity object is received from the merge point (MP) node, then the message is
discarded since there is no security association with the next-next-hop MP node.
The 7705 SAR MD5 implementation does not support the authentication challenge
procedures in RFC 2747.
3.3.1.4.2 Authentication Keychains
The keychain mechanism allows for the creation of keys used to authenticate
RSVP-TE communications. Each keychain entry defines the authentication
attributes to be used in authenticating RSVP-TE messages from remote peers or
neighbors; the entry must include at least one key entry to be valid. The keychain
mechanism also allows authentication keys to be changed without affecting the state
of the RSVP-TE adjacencies and supports stronger authentication algorithms than
plaintext and MD5.
Keychains are configured in the config>system>security>keychain context. For
more information about configuring keychains, refer to the 7705 SAR System
Management Guide, “TCP Enhanced Authentication and Keychain Authentication”.
The keychain is then associated with an RSVP-TE interface with the auth-keychain
command.
To Next Page
Loading...
Need help?
General
