The mpls rsvp-te authentication command run in the interface or neighbor view enables authentication and set an authentication key.
The undo mpls rsvp-te authentication command run in the interface or neighbor view disables authentication.
Authentication is disabled by default.
mpls rsvp-te authentication { { cipher | plain } auth-key | keychain keychain-name }
undo mpls rsvp-te authentication
| Parameter | Description | Value |
|---|---|---|
cipher |
Indicates that the key is displayed in cipher text. |
- |
plain |
Indicates that the key is displayed in plain text. NOTICE:
If plain is selected, the password is saved in the configuration file in plain text. In this case, users at a lower level can easily obtain the password by viewing the configuration file. This brings security risks. Therefore, it is recommended that you select cipher to save the password in cipher text. |
- |
auth-key |
Specifies the password. |
A string of case-sensitive characters, spaces not supported. When the key is displayed in plaintext, its length ranges from 1 to 255; when the key is displayed in MD5 cipher text, its length ranges from 20 to 392. When double quotation marks are used around the string, spaces are allowed in the string. |
keychain keychain-name |
Specifies the keychain name, which is configured by running the keychain command. |
The value is the name of an existing keychain. |
VLANIF interface view, GE interface view, XGE interface view, MultiGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-trunk interface view, RSVP-TE neighbor view
Usage Scenario
RSVP authentication can be configured to improve network reliability and security and prevent attacks initiated using messages modified or forged by unauthorized users.
Prerequisites
The mpls rsvp-te command is run to enable RSVP-TE in the MPLS view and interface view.
Precautions
If this command is run in the interface view, RSVP authentication takes effect on packets received by the interface. The interface sends RSVP-TE packets all carrying authentication information that is calculated using the key of the configured authentication mode, and authenticates all received RSVP-TE packets based on the configured key.
If this command is run in the MPLS RSVP-TE neighbor view, RSVP authentication takes effect on packets received by the local RSVP-TE neighbor. The RSVP-TE packets sending by neighbor node all carry authentication information that is calculated using the key of the configured authentication mode, and authenticates all RSVP-TE packets sending to the neighbor node based on the configured key.
cipher: indicates HMAC-MD5 authentication with the key displayed in cipher text.
plain: indicates HMAC-MD5 authentication with the key displayed in plain text.
keychain: indicates keychain authentication with a globally configured keychain.
Note that HMAC-MD5 encryption algorithm cannot ensure security. Keychain authentication is recommended.
# Configure keychain authentication for the peer. The referenced keychain name is kc1.
<HUAWEI> system-view [HUAWEI] keychain kc1 mode absolute [HUAWEI-keychain-kc1] quit [HUAWEI] mpls rsvp-te peer 10.0.0.1 [HUAWEI-mpls-rsvp-te-peer-10.0.0.1] mpls rsvp-te authentication keychain kc1
# Configure keychain authentication for the peer. The referenced keychain name is kc1.
<HUAWEI> system-view [HUAWEI] keychain kc1 mode absolute [HUAWEI-keychain-kc1] quit [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] mpls [HUAWEI-Vlanif100] mpls te [HUAWEI-Vlanif100] mpls rsvp-te [HUAWEI-Vlanif100] mpls rsvp-te authentication keychain kc1
<HUAWEI> system-view [HUAWEI] keychain kc1 mode absolute [HUAWEI-keychain-kc1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] mpls [HUAWEI-GigabitEthernet0/0/1] mpls te [HUAWEI-GigabitEthernet0/0/1] mpls rsvp-te [HUAWEI-GigabitEthernet0/0/1] mpls rsvp-te authentication keychain kc1