Configuring MSDP Key-Chain Authentication
You must configure Key-Chain authentication on both MSDP peers. Encryption algorithms and passwords configured for Key-Chain authentication on both peers must be the same; otherwise, the TCP connection cannot be set up between MSDP peers and MSDP messages cannot be transmitted. By default, MSDP Key-Chain authentication is not configured for MSDP. Configuring MSDP Key-Chain authentication is recommended to ensure system security.
Prerequisites
- Configuring a unicast routing protocol to implement interconnection at the network layer
- Enabling IP multicast
- Configuring a PIM-SM domain to implement intra-domain multicast
- Configuring PIM-SM Inter-domain Multicast or Configuring an Anycast RP in a PIM-SM Domain
Context
Keychain and new TCP extension options enable each TCP connection to be configured with a password. You can set different encryption algorithms and validity periods for passwords. In addition, passwords can be changed at any time. This significantly improves security of encrypted packets.
Only MSDP packets passing keychain authentication are processed. This effectively prevents attacks that are conducted through malicious packets.
Procedure
- Do as follows on the FW configured with MSDP peers:
- Configure MSDP Key-Chain authentication.
peer peer-address keychain keychain-name
You must configure Key-Chain authentication on both MSDP peers. Encryption algorithms and passwords configured for Key-Chain authentication on both peers must be the same; otherwise, the TCP connection cannot be set up between MSDP peers and MSDP messages cannot be transmitted.
Before configuring MSDP Key-Chain authentication, configure a Key-Chain in accordance with the configured keychain-name; otherwise, the TCP connection cannot be set up.
MSDP MD5 authentication and MSDP Key-Chain authentication are mutually exclusive.
- Configure MSDP Key-Chain authentication.