Configuring MSDP Peer Authentication

Context

MSDP peer authentication modes include MSDP Message-Digest Algorithm 5 (MD5) authentication, TCP-AO authentication, and keychain authentication.

By default, no authentication mode is configured for an MSDP peer. You are advised to configure an authentication mode to ensure system security.

Procedure

Configure MSDP MD5 authentication.
1. Run system-view
  The system view is displayed.
2. Run msdp [ vpn-instance vpn-instance-name ]
  The MSDP view is displayed.
3. Run peer peer-address password { cipher cipher-password | simple simple-password }
  MSDP MD5 authentication is configured.
  - The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space.
  - For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.
  MD5 authentication can be configured on MSDP peers to provide security protection. Make sure you enable MD5 authentication and the same authentication password for both MSDP peers. After this function is enabled, the transmit peer sends an MD5-encrypted MSDP message, which is transferred to the receive peer over a TCP connection. The receive peer decrypts the MSDP message by following the uniform MD5 encryption rules and the key contained the message. After decrypting the message successfully, the receive peer reports the message to the MSDP module for processing. Only the MSDP messages passing MD5 authentication are processed. This effectively prevents attacks that are conducted using malicious messages.
4. Run commit
  The configuration is committed.
Configure MSDP keychain authentication.
1. Run system-view
  The system view is displayed.
2. Run msdp [ vpn-instance vpn-instance-name ]
  The MSDP view is displayed.
3. Run peer peer-address keychain keychain-name
  MSDP keychain authentication is configured.
  
  Keychain and new TCP extension options enable each TCP connection to be configured with a password. You can set different encryption algorithms and validity periods for passwords. In addition, passwords can be changed at any time. This significantly improves security of encrypted packets. Only MSDP messages that are authenticated using a keychain are processed. This effectively prevents attacks conducted using malicious messages.
  
  To implement keychain authentication, you must also configure keychain authentication on the MSDP peer. Encryption algorithms and passwords configured for Keychain authentication on both peers must be the same; otherwise, the TCP connection cannot be set up between MSDP peers and MSDP messages cannot be transmitted.
  
  Before configuring MSDP keychain authentication, configure a keychain based on the configured keychain-name parameter; otherwise, the TCP connection cannot be set up.
  
  MSDP MD5 authentication and MSDP keychain authentication cannot be both configured on the same device.
  
  The encryption algorithm used for MD5 authentication poses security risks. Therefore, you are advised to use an authentication mode based on a more secure encryption algorithm.
Configure TCP-AO authentication.
1. Run system-view
  The system view is displayed.
2. Run msdp [ vpn-instance vpn-instance-name ]
  The MSDP view is displayed.
3. Run peer peer-address tcp-ao tcpAoName
  TCP-AO authentication is configured.
  
  The tcp ao command must be run to configure a TCP-AO name before you configure MSDP TCP-AO authentication; otherwise, no TCP connection can be set up. TCP-AO authentication must be configured at both ends of MSDP peers and the encryption algorithms and passwords configured for TCP-AO on both peers must be the same; otherwise, no TCP connection can be set up between the MSDP peers and MSDP messages cannot be exchanged.
  
  TCP-AO, MD5, and keychain authentication modes are mutually exclusive.