Configuring MSDP MD5 Authentication

The MSDP peers must be configured with the same authentication password; otherwise, the TCP connection cannot be set up between MSDP peers and MSDP messages cannot be transmitted. The authentication password on peers can be in different forms, that is, the password on one end can be in the cipher text while the password on the peer can be in the plain text. By default, MSDP MD5 authentication is not configured for MSDP. Configuring MSDP MD5 authentication is recommended to ensure system security.

Prerequisites

Configuring a unicast routing protocol to implement interconnection at the network layer
Enabling IP multicast
Configuring a PIM-SM domain to implement intra-domain multicast
Configuring PIM-SM Inter-domain Multicast or Configuring PIM-SM Inter-domain Multicast

Context

Message Digest 5 (MD5) authentication can be configured on MSDP peers to provide security protection. Make sure you enable MD5 authentication and the same authentication password for both MSDP peers. After this function is enabled, the transmitting peer sends an MD5-encrypted MSDP message, which is transferred to the receiving peer over a TCP connection. The receiving peer decrypts the MSDP message by following the uniform MD5 encryption rules and the key contained the message. After decrypting the message successfully, the transmitting peer reports the message to the MSDP module for processing.

Only MSDP packets passing MD5 authentication are processed. This effectively prevents attacks that are conducted through malicious packets.

Procedure

Do as follows on the FW configured with MSDP peers:
1. Access the system view.
  system-view
2. Access the MSDP view.
  msdp [ vpn-instance vpn-instance-name ]
3. Configure MSDP MD5 authentication.
  peer peer-address password { cipher cipher-password | simple simple-password }
  
  When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in plain text if you select plaintext mode, which has a high risk. To ensure device security, change the password periodically.
  
  The MSDP MD5 authentication password is case sensitive and cannot contain any space.
  
  The MSDP peers must be configured with the same authentication password; otherwise, the TCP connection cannot be set up between MSDP peers and MSDP messages cannot be transmitted. The authentication password on peers can be in different forms, that is, the password on one end can be in the cipher text while the password on the peer can be in the plain text.
  
  MSDP MD5 authentication and MSDP Key-Chain authentication are mutually exclusive.