Alcatel-Lucent 7750 SR Manual page 1039

NOTE: The authentication management for VRRP closely follows the authentication management
format used for IS-IS.
The authentication-type command is one of the commands not affected by the presence of the owner
keyword. If authentication is not required, the authenticaton-type command must not be executed. If
the command is re-executed with a different authentication type defined, the new type will be used. If
the no authentication-type command is executed, authentication is removed and no authentication is
performed. The authentication-type command may be executed at any time, altering the
authentication method used by the virtual router instance.
The no form of this command removes authentication from the virtual router instance. All VRRP
Advertisement messages sent will have the Authentication Type field set to 0 and the Authentication
Data fields will contain 0 in all octets. VRRP Advertisement messages received with Authentication
Type fields containing a value other than 0 will be discarded.
password — The password keyword identifies VRRP Authentication Type 1. Type 1 requires the
message-digest — The message-digest keyword identifies VRRP Authentication Type 2. Type 2
Output
If non-existent, create an entry if available.
7750 SR OS Services Guide
definition of a string of eight octets long using the authentication-key command. All transmitted
VRRP Advertisement messages must have the Authentication Type field set to 1 and the
Authentication Data fields must contain the authentication-key password.
All received VRRP advertisement messages must contain a value of 1 in the Authentication Type
field and the Authentication Data fields must match the defined authentication-key. All other
received messages will be silently discarded.
defines a lower IP layer MD5 authentication mechanism using HMAC and IP authentication
header standards. An MD5 key must be defined using the message-digest-key command. All
transmitted VRRP advertisement messages must have the Authentication Type field set to 2 and
the Authentication Data fields must contain 0 in all octets. The message-digest key is used in the
hashing process when populating the IP Authentication Header fields. A sequential incrementing
counter (set to zero when the message-digest-key is set) is incremented and then used in the IP
Authentication Header to prevent replay attacks on authorized participating virtual router
instances.
All received VRRP advertisement messages must contain a value of 2 in the Authentication Type
field and the Authentication Data fields are ignored. The message must have been authorized by
the lower layer IP Authentication Header process with the sequential counter field and the source
IP address presented to the virtual router instance. To track the validity of the received counter,
the virtual router instance maintains a master counter table containing up to 32 source IP
addresses and the last received counter value. Populate the table as follows:
1. Check to see if source IP address exists in table.
– If no entry is available, delete the oldest and create an entry.
The new entry should have a counter value of zero.
2. Compare the message counter value to the entry value (0 if new entry or equal to the previ-
ous message counter from the source IP address).
– If the message counter is not greater than the entry counter value, silently discard the
packet.
– If the message counter is greater than the entry counter value, accept the message for
further checking and replace the entry counter value with the message counter value and
time stamp the entry.
IES Service Configuration Commands
Page 1039