Table of Contents
Advertisement
JunosE 11.2.x BGP and MPLS Configuration Guide
Configuring RSVP MD5 Authentication
294
See "Configuring the BFD Protocol for RSVP-TE" on page 300.
RSVP MD5 authentication provides hop-by-hop security against message spoofing and
replay attacks. When authentication is configured, RSVP embeds an integrity object
within secure cleartext RSVP messages sent between peers. The integrity object includes
a key ID unique to the sender, a message sequence number, and keyed message digest.
These attributes enable verification of both packet content and sender.
For all potential RSVP peers, you configure the same key on the MPLS neighbor major
interfaces, and then enable RSVP authentication on each of these interfaces. When you
enable RSVP authentication on an interface, RSVP creates a security association that
includes the key, key ID, hash algorithm, and other associated attributes. Each sender
and receiver pair maintains the security association for their shared key.
NOTE: You must enable authentication on both ends of an RSVP interface to protect
the link. Failure to do so can prevent tunnels through the interface from coming up.
Thereafter, RSVP messages sent by a router through the secured interface include an
integrity object that contains a key ID for the security association and an MD5 message
digest of the message contents. To protect against message replay attacks, the sending
interface also places a sequence number in the integrity object. Each sequence number
is a unique, monotonically increasing number.
The secured interface expects each received RSVP message to include an integrity object.
The interface drops all RSVP messages that do not contain the object.
The receiver uses the key ID and the sender's address to determine the relevant security
association. The key ID is extracted from the received integrity object. The address of the
sending interface is extracted from the rsvp_hop object, if present, or from the packet
header if the message does not include the rsvp_hop object. The receiver then recomputes
the message digest using the association key and algorithm and compares it to the digest
received from the peer.
If the digests match, RSVP checks the received sequence number. Every message received
from a sender after the first authenticated message must have a sequence number
greater than the number from a previously authenticated message from that sender.
Messages with invalid sequence numbers are discarded.
If the sequence number is valid, then the RSVP message is authenticated and forwarded
for normal RSVP processing. Unauthenticated messages are discarded.
To configure RSVP-TE MD5 authentication:
Assign a key to the interface for MD5 authentication between RSVP peers.
1.
host1(config-if)#mpls rsvp authentication key 34udR973j
Enable MD5 authentication on the RSVP-TE interface.
2.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Troubleshooting
