Configuring RSVP Authentication

Table of contents:

Problem

You want to verify that all RSVP traffic that the router accepts comes from trusted routers to ensure the security of the LSP and the data it carries.

Solution

Configure MD5 authentication for each interface running RSVP:

	[edit protocols rsvp]
	aviva@R1# set interface so-0/0/2 authentication-key 1991$poPPi
	aviva@R1# show
	interface so-0/0/2.0 {
	 authentication-key "$9$GoDqm5QF/ApTQSrKMXxqmPfn/"; ## SECRET-DATA
	}

Discussion

It is a good security measure to authenticate RSVP exchanges to ensure that only trusted routers participate in the LSP. This recipe shows how to configure RSVP authentication. You configure a key for each interface on the router that is running RSVP. MD5 creates an encoded checksum that is included in all transmitted RSVP packets. The receiving router verifies this checksum before accepting the packet.

Use the following command to check that RSVP authentication is configured:

	aviva@R1>  
show rsvp interface detail
	RSVP interface: 1 active
	so-0/0/2.0 Index 69, State Ena/Up
	  
Authentication, NoAggregate, NoReliable, NoLinkProtection
	 HelloInterval 9(second)
	 Address 10.1.13.1, 10.0.0.1
	 ActiveResv 1, PreemptionCnt 0, Update threshold 10%
	 Subscription 100%, StaticBW 155.52Mbps, AvailableBW 155.52Mbps
	 ReservedBW [0] 0bps[1] 0bps[2] 0bps[3] 0bps[4] 0bps[5] 0bps[6] 0bps[7] 0bps
	 PacketType Total Last 5 seconds
	 Sent Received Sent Received
	Path 1588 35 0 0
	PathErr 0 0 0 0
	PathTear 3 1 0 0
	Resv 34 1586 0 0
	ResvErr 0 0 0 0
	ResvTear 0 0 0 0
	Hello 8526 8527 1 1
	Ack 0 0 0 0
	Srefresh 0 0 0 0
	EndtoEnd RSVP 0 0 0 0

Configure the same authentication key on all interfaces participating in the LSP. If you do not configure the same password, the LSP cannot be established and is marked as Dn (down) in the show mpls lsp command output:

	aviva@R1> show mpls lsp
	Ingress LSP: 1 sessions
	To From State Rt ActivePath P LSPname
	10.0.0.6 10.0.0.1 Dn 0 - R1-to-R6
	Total 1 displayed, Up 0, Down 1

This LSP is not operating because authentication is not configured on R6, the egress router:

	aviva@R6> show rsvp interface detail
	RSVP interface: 1 active
	so-0/0/3.0 Index 66, State Ena/Up
	 NoAuthentication, NoAggregate, NoReliable, NoLinkProtection
	 HelloInterval 9(second)
	 Address 10.1.36.2, 10.0.0.6
	 ActiveResv 0, PreemptionCnt 0, Update threshold 10%
	 Subscription 100%, StaticBW 155.52Mbps, AvailableBW 155.52Mbps
	 ReservedBW [0] 0bps[1] 0bps[2] 0bps[3] 0bps[4] 0bps[5] 0bps[6] 0bps[7] 0bps


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net