mpls rsvp-te authentication (MPLS RSVP-TE neighbor view)

Function

The mpls rsvp-te authentication command enables authentication on an interface.

The undo mpls rsvp-te authentication command disables authentication on an interface.

By default, authentication is disabled. Configuring RSVP authentication is recommended to improve device security.

Format

mpls rsvp-te authentication { cipher authkey-cipher | plain authkey-plain }

undo mpls rsvp-te authentication

Parameters

Parameter Description Value
cipher authkey-cipher

Specifies an authentication key in ciphertext.

The value is a string, spaces not supported. A ciphertext key is 20 to 392 characters.
plain authkey-plain

Specifies an authentication key in simple text.

The value is a string, spaces not supported. A simple text key is 1 to 255 characters

Views

MPLS RSVP-TE neighbor view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
mpls-te write

Usage Guidelines

Usage Scenario

RSVP authentication can be configured to improve network reliability and security and prevent attacks initiated using messages modified or forged by unauthorized users.

RSVP authentication can prevent the setup of an illegal RSVP neighbor relationship using the following methods and protect the local node against attacks (such as malicious reservation of a larger number of bandwidth resources):

  • An unauthorized node attempts to set up an RSVP neighbor relationship with the local node.
  • A remote node generates and sends forged RSVP messages to set up a neighbor relationship with the local node.

Prerequisites

The mpls rsvp-te command has been run to enable RSVP-TE in the MPLS and interface views.

Configuration Impact

If the mpls rsvp-te authentication command is configured in the MPLS RSVP-TE neighbor view, a neighbor node sends RSVP-TE packets all carrying authentication information that is calculated using the key of the configured authentication mode, and authenticates all received RSVP-TE packets based on the configured key.

If the mpls rsvp-te authentication command is run on an interface, the interface sends RSVP-TE packets all carrying authentication information that is calculated using the key of the configured authentication mode, and authenticates all received RSVP-TE packets based on the configured key.

Precautions

The mpls rsvp-te authentication command run in either of the following views produces a specific result:

  • If this command is run in the interface view, RSVP authentication takes effect on packets received by the interface.

  • If this command is run in the MPLS RSVP-TE neighbor view, RSVP authentication takes effect on packets received by the local RSVP-TE neighbor.

Parameters are optional for configuring HMAC-MD5 or keychain authentication:

  • cipher: indicates HMAC-MD5 authentication with the key displayed in cipher text.

  • plain: indicates HMAC-MD5 authentication with the key displayed in plain text.

  • keychain: indicates keychain authentication with a globally configured keychain.

    HMAC-MD5 authentication has low security. In order to ensure better security, it is recommended to use Keychain authentication and use a more secure algorithm, such as HMAC-SHA-256.

    Run the mpls rsvp-te authentication keychain command to ensure that the authentication keys and authentication algorithms remain consistent on both ends of a TE LSP.

Example

# Enable authentication with a ciphertext key.
<HUAWEI> system-view
[~HUAWEI] mpls
[*HUAWEI-mpls] mpls te
[*HUAWEI-mpls] mpls rsvp-te
[*HUAWEI-mpls] mpls rsvp-te peer 10.1.0.1
[*HUAWEI-mpls-rsvp-te-peer-10.1.0.1] mpls rsvp-te authentication cipher Huawei-123
Parent Topic: MPLS TE Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >