The mpls rsvp-te authentication command enables authentication on an interface.
The undo mpls rsvp-te authentication command disables authentication on an interface.
By default, authentication is disabled. Configuring RSVP authentication is recommended to improve device security.
| Parameter | Description | Value |
|---|---|---|
| cipher authkey-cipher |
Specifies an authentication key in ciphertext. |
The value is a string, spaces not supported. A ciphertext key is 20 to 392 characters. |
| plain authkey-plain |
Specifies an authentication key in simple text. |
The value is a string, spaces not supported. A simple text key is 1 to 255 characters |
100ge sub-interface view, 100GE interface view, 10GE sub-interface view, 10GE interface view, 25GE sub-interface view, 25GE interface view, 400GE sub-interface view, 400GE interface view, 40GE sub-interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, GE optical interface view, GE sub-interface view, GE electrical interface view, GMPLS-UNI interface view, Tunnel interface view, XGE sub-interface view, XGE interface view
Usage Scenario
RSVP authentication can be configured to improve network reliability and security and prevent attacks initiated using messages modified or forged by unauthorized users.
RSVP authentication can prevent the setup of an illegal RSVP neighbor relationship using the following methods and protect the local node against attacks (such as malicious reservation of a larger number of bandwidth resources):
Prerequisites
The mpls rsvp-te command has been run to enable RSVP-TE in the MPLS and interface views.
Configuration Impact
If the mpls rsvp-te authentication command is configured in the MPLS RSVP-TE neighbor view, a neighbor node sends RSVP-TE packets all carrying authentication information that is calculated using the key of the configured authentication mode, and authenticates all received RSVP-TE packets based on the configured key.
If the mpls rsvp-te authentication command is run on an interface, the interface sends RSVP-TE packets all carrying authentication information that is calculated using the key of the configured authentication mode, and authenticates all received RSVP-TE packets based on the configured key.
Precautions
The mpls rsvp-te authentication command run in either of the following views produces a specific result:
If this command is run in the interface view, RSVP authentication takes effect on packets received by the interface.
If this command is run in the MPLS RSVP-TE neighbor view, RSVP authentication takes effect on packets received by the local RSVP-TE neighbor.
Parameters are optional for configuring HMAC-MD5 or keychain authentication:
cipher: indicates HMAC-MD5 authentication with the key displayed in cipher text.
plain: indicates HMAC-MD5 authentication with the key displayed in plain text.
keychain: indicates keychain authentication with a globally configured keychain.
HMAC-MD5 authentication has low security. In order to ensure better security, it is recommended to use Keychain authentication and use a more secure algorithm, such as HMAC-SHA-256. Run the mpls rsvp-te authentication keychain command to ensure that the authentication keys and authentication algorithms remain consistent on both ends of a TE LSP.<HUAWEI> system-view [~HUAWEI] mpls [*HUAWEI-mpls] mpls te [*HUAWEI-mpls] mpls rsvp-te [*HUAWEI-mpls] quit [*HUAWEI] interface GigabitEthernet 0/1/0 [*HUAWEI-GigabitEthernet0/1/0] mpls [*HUAWEI-GigabitEthernet0/1/0] mpls te [*HUAWEI-GigabitEthernet0/1/0] mpls rsvp-te [*HUAWEI-GigabitEthernet0/1/0] mpls rsvp-te authentication cipher Huawei-123