BFD

This section describes a security policy, attack method, configuration method, and configuration suggestion for BFD.

Security Policy

  • BFD provides configurable negotiation packet authentication to improve system security. The system supports the authentication of static multicast BFD negotiation packets.

  • The same authentication mode, key-id field, authentication password, and authentication timeout interval must be configured on a sender and receiver.

    • key-id is an integer ranging from 1 to 255.
    • The authentication password is a string of 1 to 20 characters in plaintext or a string of 20 to 148 characters in ciphertext.
    • The authentication timeout interval ranges from 1 to 10000, in seconds.

  • After negotiation packet authentication is configured, the A flag in the BFD packet header is set to 1, and the 28-byte authentication field is added to the payload.

  • A receiver decapsulates a packet. If the A flag in the packet header is different from the local one, the receiver discards the packet. If they are the same, the receiver checks whether the authentication field is the same as the local configuration. If they are different, the authentication field is incorrect.

  • The authentication password can be configured in two modes. The authentication password is displayed in ciphertext in the configuration file.

Attack Method

An attacker forges BFD packets and sends them to a target.

Configuration Method

  • Configure authentication in the BFD session view. Only static BFD sessions are supported.

    Run the authentication-mode met-sha1 key-id key-id cipher cipher-text nego-packet [ timeout-interval interval-value ] command to configure authentication.

    In a specific access scenario, for example, when a multicast BFD session is associated with the protocol status of an interface, configure authentication for the BFD session on the interface. BFD negotiation can succeed, the BFD-associated protocol status of the interface can be activated, and users can access the device through this interface only when the BFD authentication information on both ends is consistent.

  • In the BFD view, you can configure an authentication mode and key for a single-hop BFD session for IP, multi-hop BFD session for IP, BFD for LDP LSP proactive session, or BFD for LDP LSP passive session.
    • Run the bfd single-hop peer-ip ip-address [ vpn-instance vpn-name ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet command to configure an authentication mode and key for a single-hop BFD session for IPv4.
    • Run the bfd single-hop peer-ipv6 ipv6-address [ vpn-instance vpn-name] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet command to configure an authentication mode and key for a single-hop BFD session for IPv6.
    • Run the bfd multi-hop peer-ip ip-address [ vpn-instance vpn-name ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet command to configure an authentication mode and key for a multi-hop BFD session for IPv4.
    • Run the bfd multi-hop peer-ipv6 ipv6-address [ vpn-instance vpn-name ] authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet command to configure an authentication mode and key for a multi-hop BFD session for IPv6.
    • Run the bfd mpls-passive peer-ip ip-address authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet command to configure an authentication mode and key for a BFD for LDP LSP passive session.
    • Run the bfd lsp-tunnel peer-ip ip-address authentication-mode met-sha1 key-id key-id-value cipher cipher-text nego-packet command to configure an authentication mode and key for a BFD for LDP LSP proactive session.

Configuration Suggestion

To enhance security, enable BFD negotiation packet authentication on a network requiring high security.

Parent Topic: Control Plane
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >