Configuring RSVP Authentication
Problem
You want to verify that all RSVP traffic that the router accepts comes from trusted routers to ensure the security of the LSP and the data it carries.
Solution
Configure MD5 authentication for each interface running RSVP:
[edit protocols rsvp] aviva@R1# set interface so-0/0/2 authentication-key 1991$poPPi aviva@R1# show interface so-0/0/2.0 { authentication-key "$9$GoDqm5QF/ApTQSrKMXxqmPfn/"; ## SECRET-DATA }
Discussion
It is a good security measure to authenticate RSVP exchanges to ensure that only trusted routers participate in the LSP. This recipe shows how to configure RSVP authentication. You configure a key for each interface on the router that is running RSVP. MD5 creates an encoded checksum that is included in all transmitted RSVP packets. The receiving router verifies this checksum before accepting the packet.
Use the following command to check that RSVP authentication is configured:
aviva@R1> show rsvp interface detail RSVP interface: 1 active so-0/0/2.0 Index 69, State Ena/Up Authentication, NoAggregate, NoReliable, NoLinkProtection HelloInterval 9(second) Address 10.1.13.1, 10.0.0.1 ActiveResv 1, PreemptionCnt 0, Update threshold 10% Subscription 100%, StaticBW 155.52Mbps, AvailableBW 155.52Mbps ReservedBW [0] 0bps[1] 0bps[2] 0bps[3] 0bps[4] 0bps[5] 0bps[6] 0bps[7] 0bps PacketType Total Last 5 seconds Sent Received Sent Received Path 1588 35 0 0 PathErr 0 0 0 0 PathTear 3 1 0 0 Resv 34 1586 0 0 ResvErr 0 0 0 0 ResvTear 0 0 0 0 Hello 8526 8527 1 1 Ack 0 0 0 0 Srefresh 0 0 0 0 EndtoEnd RSVP 0 0 0 0
Configure the same authentication key on all interfaces participating in the LSP. If you do not configure the same password, the LSP cannot be established and is marked as Dn (down) in the show mpls lsp command output:
aviva@R1> show mpls lsp Ingress LSP: 1 sessions To From State Rt ActivePath P LSPname 10.0.0.6 10.0.0.1 Dn 0 - R1-to-R6 Total 1 displayed, Up 0, Down 1
This LSP is not operating because authentication is not configured on R6, the egress router:
aviva@R6> show rsvp interface detail RSVP interface: 1 active so-0/0/3.0 Index 66, State Ena/Up NoAuthentication, NoAggregate, NoReliable, NoLinkProtection HelloInterval 9(second) Address 10.1.36.2, 10.0.0.6 ActiveResv 0, PreemptionCnt 0, Update threshold 10% Subscription 100%, StaticBW 155.52Mbps, AvailableBW 155.52Mbps ReservedBW [0] 0bps[1] 0bps[2] 0bps[3] 0bps[4] 0bps[5] 0bps[6] 0bps[7] 0bps
Категории