Information About Implementing Rsvp Authentication; Rsvp Authentication Functions; Rsvp Authentication Design - Cisco CRS Configuration Manual
Ios xr mpls configuration guide
Hide thumbs
Also See for CRS:
- User manual (304 pages) ,
- Configuration manual (292 pages) ,
- Command reference manual (155 pages)
Table of Contents
Advertisement
Information About Implementing RSVP Authentication
Information About Implementing RSVP Authentication
Before implementing RSVP authentication, you must configure a keychain first. The name of the keychain
must be the same as the one used in the keychain configuration. For more information about configuring
keychains, see Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router.
Note
RSVP authentication supports only keyed-hash message authentication code (HMAC) type algorithms.
To implement RSVP authentication on Cisco IOS XR software, you must understand the following concepts:
RSVP Authentication Functions
You can carry out these tasks with RSVP authentication:
• Set up a secure relationship with a neighbor by using secret keys that are known only to you and the
• Configure RSVP authentication in global, interface, or neighbor configuration modes.
• Authenticate incoming messages by checking if there is a valid security relationship that is associated
• Add an integrity object with message digest to the outgoing message.
• Use sequence numbers in an integrity object to detect replay attacks.
RSVP Authentication Design
Network administrators need the ability to establish a security domain to control the set of systems that initiates
RSVP requests.
The RSVP authentication feature permits neighbors in an RSVP network to use a secure hash to sign all RSVP
signaling messages digitally, thus allowing the receiver of an RSVP message to verify the sender of the
message without relying solely on the sender's IP address.
The signature is accomplished on a per-RSVP-hop basis with an RSVP integrity object in the RSVP message
as defined in RFC 2747. This method provides protection against forgery or message modification. However,
the receiver must know the security key used by the sender to validate the digital signature in the received
RSVP message.
Network administrators manually configure a common key for each RSVP neighbor on the shared network.
The following reasons explain how to choose between global, interface, or neighbor configuration modes:
• Global configuration mode is optimal when a router belongs to a single security domain (for example,
• Interface, or neighbor configuration mode, is optimal when a router belongs to more than one security
Cisco IOS XR MPLS Configuration Guide for the Cisco CRS Router, Release 5.1.x
118
neighbor.
based on key identifier, incoming interface, sender address, and destination address.
part of a set of provider core routers). A single common key set is expected to be used to authenticate
all RSVP messages.
domain. For example, a provider router is adjacent to the provider edge (PE), or a PE is adjacent to an
edge device. Different keys can be used but not shared.
Implementing RSVP for MPLS-TE and MPLS O-UNI
Advertisement
Table of Contents
