PCEP

Security Policy

  • PCEP keychain authentication

    Keychain is an enhanced encryption algorithm. It calculates a digest for a piece of information to prevent PCEP packets from being tampered with.

    During keychain authentication, a group of passwords is defined to form a password string, and each password is assigned encryption and decryption algorithms, for example, SHA-2, and an expiration period. When sending or receiving a packet, the system selects a valid password based on the user's configuration. Then, within the lifetime of the password, the system performs the encryption algorithm matching the password to encrypt a packet before sending it. Alternatively, the system performs the decryption algorithm matching the password to decrypt a packet before accepting it. In addition, the system can automatically use a new password after the previous password expires, preventing the password from being decrypted.

    The password of keychain authentication, the encryption and decryption algorithms, and the expiration period of the password can be configured separately on a keychain configuration node. A keychain configuration node at least requires one password and has the encryption and decryption algorithms specified.

    PCEP session authentication can be configured to improve network security and defend against attacks. Keychain authentication can be configured when a session is established between the PCE server and client.

  • PCEP TLS

    TLS is an SSL-based security protocol that ensures data integrity and confidentiality. It prevents the communication between the client and server from being eavesdropped.

    TLS authentication can be configured when a session is established between the PCE server and client to improve network security and prevent network attacks.

  • PCEP whitelist

    The application layer association module checks protocol packets to be sent to the CPU and sends protocol packets that match the whitelist at a high rate to the CPU. The PCEP whitelist feature is enabled by default and does not need to be configured.

Attack Methods

None

Procedure

  • Configure PCEP keychain authentication.

    Before configuring PCEP keychain authentication, configure keychain globally. For details, see NetEngine 8000 F Configuration Guide - Security.

    1. Run system-view

      The system view is displayed.

    2. Run pce-client

      The PCE client view.

    3. Run connect-server ip-address

      A candidate server is specified.

    4. Run authentication_keychain keychain-name

      Keychain authentication is configured for PCEP session established between the PCE client and servers.

    5. Run commit

      The configuration is committed.

  • Configure PCEP TLS authentication.

    1. Run system-view

      The system view is displayed.

    2. Run ssl policy policy-name

      An SSL policy is created and the SSL policy view is displayed.

    3. Run ssl minimum version { tls1.1 | tls1.2 | tls1.3 }

      The minimum SSL version is set for the current SSL policy.

      For details about other configurations in the SSL policy view, see section "Configuring and Binding an SSL Policy" of chapter "User Login Configuration" in NetEngine 8000 F Configuration Guide - Basic Configuration.

    4. Run quit

      Return to the system view.

    5. Run pce-client

      The PCE client view.

    6. Run connect-server ip-address

      A candidate server is specified.

    7. Run bind ssl-policy policy-name

      An SSL policy is specified for the PCE client.

    8. Run commit

      The configuration is committed.

Parent Topic: MPLS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic