Global, Interface, And Neighbor Authentication Modes - Cisco ASR 9000 Series Configuration Manual

Global, Interface, and Neighbor Authentication Modes

• Global configuration mode is optimal when a router belongs to a single security domain (for example,
• Interface, or neighbor configuration mode, is optimal when a router belongs to more than one security
Global configuration mode configures the defaults for interface and neighbor interface modes. These modes,
unless explicitly configured, inherit the parameters from global configuration mode, as follows:
• Window-size is set to 1.
• Lifetime is set to 1800.
• key-source key-chain command is set to none or disabled.
Related Topics
Configuring a Lifetime for an Interface for RSVP Authentication, on page 90
RSVP Authentication by Using All the Modes: Example, on page 103
Global, Interface, and Neighbor Authentication Modes
You can configure global defaults for all authentication parameters including key, window size, and lifetime.
These defaults are inherited when you configure authentication for each neighbor or interface. However, you
can also configure these parameters individually on a neighbor or interface basis, in which case the global
values (configured or default) are no longer inherited.
RSVP uses the following rules when choosing which authentication parameter to use when that parameter
Note
is configured at multiple levels (interface, neighbor, or global). RSVP goes from the most specific to least
specific; that is, neighbor, interface, and global.
Global keys simplify the configuration and eliminate the chances of a key mismatch when receiving messages
from multiple neighbors and multiple interfaces. However, global keys do not provide the best security.
Interface keys are used to secure specific interfaces between two RSVP neighbors. Because many of the RSVP
messages are IP routed, there are many scenarios in which using interface keys are not recommended. If all
keys on the interfaces are not the same, there is a risk of a key mismatch for the following reasons:
• When the RSVP graceful restart is enabled, RSVP hello messages are sent with a source IP address of
• When the RSVP fast reroute (FRR) is active, the RSVP Path and Resv messages can traverse multiple
• When Generalized Multiprotocol Label Switching (GMPLS) optical tunnels are configured, RSVP
Cisco ASR 9000 Series Aggregation Services Router MPLS Configuration Guide, Release 4.3.x
70
part of a set of provider core routers). A single common key set is expected to be used to authenticate
all RSVP messages.
domain. For example, a provider router is adjacent to the provider edge (PE), or a PE is adjacent to an
edge device. Different keys can be used but not shared.
the local router ID and a destination IP address of the neighbor router ID. Because multiple routes can
exist between the two neighbors, the RSVP hello message can traverse to different interfaces.
interfaces.
messages are exchanged with router IDs as the source and destination IP addresses. Since multiple
control channels can exist between the two neighbors, the RSVP messages can traverse different interfaces.
Implementing RSVP for MPLS-TE
OL-28381-02