Guest

Cisco IOS Software Releases 12.0 S

RSVP Message Authentication

  • Viewing Options

  • PDF (310.0 KB)
  • Feedback
RSVP Message Authentication

Table Of Contents

RSVP Message Authentication

Contents

Prerequisites for RSVP Message Authentication

Restrictions for RSVP Message Authentication

Information About RSVP Message Authentication

Feature Design of RSVP Message Authentication

Special Considerations for RSVP Message Authentication

Benefits of RSVP Message Authentication

How to Configure RSVP Message Authentication

Enabling RSVP on an Interface

Configuring an RSVP Authentication Type

Configuring an RSVP Authentication Key

Enabling RSVP Key Encryption

Enabling RSVP Authentication Challenge

Configuring RSVP Authentication Lifetime

Configuring RSVP Authentication Window Size

Activating RSVP Authentication

Verifying RSVP Message Authentication

Examples

Troubleshooting Tips

Configuration Examples for RSVP Message Authentication

RSVP Message Authentication Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

Glossary


RSVP Message Authentication


The Resource Reservation Protocol (RSVP) Message Authentication feature provides a secure method to control quality of service (QoS) access to a network.

Feature Specifications for RSVP Message Authentication

Feature History
 
Release
Modification

12.2(15)T

This feature was introduced.

12.0(26)S

Restrictions were added for interfaces that use Fast Reroute (FRR) node or link protection and for RSVP hellos for FRR for packet over SONET (POS) interfaces.

Supported Platforms

For platforms supported in Cisco IOS Release 12.0(26)S and 12.2(15)T, consult Cisco Feature Navigator.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for RSVP Message Authentication

Restrictions for RSVP Message Authentication

Information About RSVP Message Authentication

How to Configure RSVP Message Authentication

Configuration Examples for RSVP Message Authentication

Additional References

Command Reference

Glossary

Prerequisites for RSVP Message Authentication

Ensure that RSVP is configured on two or more routers within the network before you can use the RSVP Message Authentication feature.

Restrictions for RSVP Message Authentication

The RSVP Message Authentication feature is only for authenticating RSVP neighbors.

The RSVP Message Authentication feature cannot discriminate between various QoS applications or users, of which many may exist on an authenticated RSVP neighbor.

Authentication is not supported on interfaces that are protected by FRR.

Authentication is not supported on interfaces that use RSVP hellos.

Information About RSVP Message Authentication

To configure RSVP Message Authentication, you need to understand the following concepts:

Feature Design of RSVP Message Authentication

Special Considerations for RSVP Message Authentication

Benefits of RSVP Message Authentication

Feature Design of RSVP Message Authentication

Figure 1 RSVP Message Authentication Configuration

Special Considerations for RSVP Message Authentication

In Figure 2, to enable authentication between Internet service providers (ISPs) A and B, A and C, and A and D, the ISPs must share a common key. However, sharing a common key also enables authentication between ISPs B and C, C and D, and B and D. You may not want authentication among all the ISPs because they might be different companies with unique security domains.

Figure 2 RSVP Message Authentication in an Ethernet Configuration

This release does not support the above topology.

You need separate Ethernet networks for A to B, B to A, A to C, C to A, A to D, and D to A. Then configure unique interface keys for them.

Benefits of RSVP Message Authentication

Improved Security

The RSVP Message Authentication feature greatly reduces the chance of an RSVP-based spoofing attack and provides a secure method to control QoS access to a network.

Multiple Environments

The RSVP Message Authentication feature can be used in traffic engineering (TE) and non-TE environments as well as with subnetwork bandwidth manager (SBM).

Multiple Platforms and Interfaces

The RSVP Message Authentication feature can be used on any supported RSVP platform or interface.

How to Configure RSVP Message Authentication

The following configuration parameters instruct RSVP on how to generate and verify integrity objects in various RSVP messages.


Note There are two configuration procedures—full and minimal.


This section contains the following procedures for a full configuration:

Enabling RSVP on an Interface (required)

Configuring an RSVP Authentication Type (optional)

Configuring an RSVP Authentication Key (required)

Enabling RSVP Key Encryption (optional)

Enabling RSVP Authentication Challenge (optional)

Configuring RSVP Authentication Lifetime (optional)

Configuring RSVP Authentication Window Size (optional)

Activating RSVP Authentication (required)

Verifying RSVP Message Authentication (optional)

This section contains the following tasks for a minimal configuration:

Enabling RSVP on an Interface (required)

Configuring an RSVP Authentication Key (required)

Activating RSVP Authentication (required)

Enabling RSVP on an Interface

Perform this task to enable RSVP on an interface.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface [type number]

4. ip rsvp bandwidth [interface-kbps] [single-flow-kbps]

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface [type number]

Example:

Router(config)# interface Ethernet0/0

Enters interface configuration mode.

The type number argument identifies the interface to be configured.

Step 4 

ip rsvp bandwidth [interface-kbps] [single-flow-kbps]

Example:

Router(config-if)# ip rsvp bandwidth 7500 7500

Enables RSVP on an interface.

The optional interface-kbps and single-flow-kbps arguments specify the amount of bandwidth that can be allocated by RSVP flows or to a single flow, respectively. Values are from 1 to 10,000,000.

Note Repeat this command for each interface that you want to enable.

Step 5 

end

Example:

Router(config-if)# end

Exits to privileged EXEC mode.


Configuring an RSVP Authentication Type

Perform this task to configure an RSVP authentication type.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface [type number]

4. ip rsvp authentication type {md5 | sha-1}

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface [type number]

Example:

Router(config)# interface Ethernet0/0

Enters interface configuration mode.

The type number argument identifies the interface to be configured.

Step 4 

ip rsvp authentication type {md5 | sha-1}

Example:

Router(config-if)# ip rsvp authentication type sha-1

Specifies the algorithm used to generate cryptographic signatures in RSVP messages.

The algorithms are md5, the default, and sha-1, which is newer and more secure than md5.

Step 5 

end

Example:

Router(config-if)# end

Exits to privileged EXEC mode.


Configuring an RSVP Authentication Key

Perform this task to configure an RSVP authentication key.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface [type number]

4. ip rsvp authentication key passphrase

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface [type number]

Example:

Router(config)# interface Ethernet0/0

Enters interface configuration mode.

The type number argument identifies the interface to be configured.

Step 4 

ip rsvp authentication key passphrase

Example:

Router(config-if)# ip rsvp authentication key 11223344

Specifies the data string (key) for the authentication algorithm.

The key consists of 8 to 40 characters. It can include spaces and multiple words. It can also be encrypted or appear in clear text when displayed.

Step 5 

end

Example:

Router(config-if)# end

Exits to privileged EXEC mode.


Enabling RSVP Key Encryption

Perform this task to enable RSVP key encryption when the key is stored in the router configuration. (This prevents anyone from seeing the clear text key in the configuration file.)

SUMMARY STEPS

1. enable

2. configure terminal

3. key config-key 1 string

4. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

key config-key 1 string

Example:

Router(config)# key config-key 1 11223344

Enables key encryption in the configuration file.

The string argument can contain up to eight alphanumeric characters.

Step 4 

end

Example:

Router(config)# end

Exits to privileged EXEC mode.


Enabling RSVP Authentication Challenge

Perform this task to enable RSVP authentication challenge.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface [type number]

4. ip rsvp authentication challenge

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface [type number]

Example:

Router(config)# interface Ethernet0/0

Enters interface configuration mode.

The type number argument identifies the interface to be configured.

Step 4 

ip rsvp authentication challenge

Example:

Router(config-if)# ip rsvp authentication challenge

Makes RSVP perform a challenge-response handshake when RSVP learns about any new challenge-capable neighbors on a network.

Step 5 

end

Example:

Router(config-if)# end

Exits to privileged EXEC mode.


Configuring RSVP Authentication Lifetime

Perform this task to configure the lifetimes of security associations between RSVP neighbors.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface [type number]

4. ip rsvp authentication lifetime hh:mm:ss

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface [type number]

Example:

Router(config)# interface Ethernet0/0

Enters interface configuration mode.

The type number argument identifies the interface to be configured.

Step 4 

ip rsvp authentication lifetime hh:mm:ss

Example:

Router(config-if)# ip rsvp authentication 00:05:00

Controls how long RSVP maintains security associations with RSVP neighbors.

The default security association for hh:mm:ss is 30 minutes; the range is 1 second to 24 hours.

Step 5 

end

Example:

Router(config-if)# end

Exits to privileged EXEC mode.


Configuring RSVP Authentication Window Size

Perform this task to configure RSVP authentication window size.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface [type number]

4. ip rsvp authentication window-size [n]

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface [type number]

Example:

Router(config)# interface Ethernet0/0

Enters interface configuration mode.

The type number argument identifies the interface to be configured.

Step 4 

ip rsvp authentication window-size [n]

Example:

Router(config-if)# ip rsvp authentication window-size 2

Specifies the maximum number of authenticated messages that can be received out of order.

The default value is one message; the range is 1 to 64 messages.

Step 5 

end

Example:

Router(config-if)# end

Exits to privileged EXEC mode.


Activating RSVP Authentication

Perform this task to activate RSVP authentication.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface [type number]

4. ip rsvp authentication

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface [type number]

Example:

Router(config)# interface Ethernet0/0

Enters interface configuration mode.

The type number argument identifies the interface to be configured.

Step 4 

ip rsvp authentication

Example:

Router(config-if)# ip rsvp authentication

Activates RSVP cryptographic authentication.

Step 5 

end

Example:

Router(config-if)# end

Exits to privileged EXEC mode.


Verifying RSVP Message Authentication

Perform this task to verify that the RSVP Message Authentication feature is functioning.

SUMMARY STEPS

1. enable

2. show ip rsvp interface [interface-type interface-number] [detail]

3. show ip rsvp authentication [detail] [ip-address | hostname]

4. show ip rsvp counters [interface interface_unit | summary | neighbor]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show ip rsvp interface [interface-type interface-number] [detail]

Example:

Router# show ip rsvp interface detail

Displays information about interfaces on which RSVP is enabled, including the current allocation budget and maximum available bandwidth.

The optional detail keyword displays the bandwidth, signaling, and authentication parameters.

Step 3 

show ip rsvp authentication [detail] [ip-address | hostname]

Example:

Router# show ip rsvp authentication detail

Displays the security associations that RSVP has established with other RSVP neighbors.

The optional detail keyword displays state information that includes IP addresses, interfaces enabled, and configured cryptographic authentication parameters about security associations that RSVP has established with neighbors.

Step 4 

show ip rsvp counters [interface 
interface_unit | summary | neighbor]
Example:
Router# show ip rsvp counters summary

(Optional) Displays the number of RSVP messages that were sent and received on each interface; shows error counter incrementing whenever an RSVP message is received on an interface with RSVP authentication enabled, but authentication checks failed on that message.

Note The error counter can also increment when it receives an error not related to authentication.

The optional summary keyword shows the cumulative number of RSVP messages sent and received by the platform.

Examples

This section provides the following example output:

Sample Output for the show ip rsvp authentication detail Command

Sample Output for the show ip rsvp interface detail Command

Sample Output for the show ip rsvp authentication detail Command

In this example, the show ip rsvp authentication detail command displays information, including IP addresses, interfaces enabled, and configured cryptographic authentication parameters about security associations that RSVP has established with neighbors.

Router# show ip rsvp authentication detail

Neighbor: 192.168.101.2  Key ID (hex): 62d0b1140000
 Interface: Ethernet0/0  Key type:   Static
 Direction: Send         Expiration: 000d 00h 29m 39s
 Last seq # sent: 
  13851245224380071944

Neighbor: 192.168.101.2  Key ID (hex): 62d164fc00000
 Interface: Ethernet0/0  Key type:   Static
 Direction: Receive      Expiration: 000d 00h 29m 39s
 Last valid seq # rcvd:  Challenge:  Not configured
  13851246177862811649 

Sample Output for the show ip rsvp interface detail Command

In this example, the show ip rsvp interface detail command displays detailed information, including the cryptographic authentication parameters, for all RSVP-configured interfaces on a router.


Note The authentication key in the following example appears encrypted (<encrypted>). That is because the key config-key 1 string command was issued prior to the show ip rsvp interface detail command.


Router# show ip rsvp interface detail

 Et0/0:
   Bandwidth:
    Curr allocated: 0 bits/sec
    Max. allowed (total): 7500K bits/sec
    Max. allowed (per flow): 7500K bits/sec
    Max. allowed for LSP tunnels using sub-pools: 0 bits/sec
    Set aside by policy (total):0 bits/sec
   Neighbors:
    Using IP encap: 0.  Using UDP encap: 0
   Signalling:
    Refresh reduction: disabled
   Authentication: enabled
    Key:           <encrypted>
    Type:          sha-1
    Window size:   2
    Challenge:     enabled

Troubleshooting Tips

To troubleshoot the RSVP Message Authentication feature, use the following commands in privileged EXEC mode:

Command
Purpose
Router# debug ip rsvp authentication

Displays output related to RSVP authentication.

Router# debug ip rsvp dump signalling

Displays brief information about signaling (Path and Resv) messages.


Configuration Examples for RSVP Message Authentication

This section provides the following configuration example:

RSVP Message Authentication Example

RSVP Message Authentication Example

In the following output, the cryptographic authentication parameters, including type, key, challenge, lifetime, window size, are configured; and authentication is activated:

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# interface e0/0

Router(config-if)# ip rsvp bandwidth 7500 7500

Router(config-if)# ip rsvp authentication type sha-1

Router(config-if)# ip rsvp authentication key 11223344

Router(config-if)# ip rsvp authentication challenge

Router(config-if)# ip rsvp authentication lifetime 00:30:05

Router(config-if)# ip rsvp authentication window-size 2

Router(config-if)# ip rsvp authentication

In the following output from the show ip rsvp interface detail command, notice the cryptographic authentication parameters that you configured for the Ethernet0/0 interface:

Router# show ip rsvp interface detail

Et0/0:
   Bandwidth:
     Curr allocated: 0 bits/sec
     Max. allowed (total): 7500K bits/sec
     Max. allowed (per flow): 7500K bits/sec
     Max. allowed for LSP tunnels using sub-pools: 0 bits/sec
     Set aside by policy (total): 0 bits/sec
   Neighbors:
     Using IP encap: 0.  Using UDP encap: 0
   Signalling:
     Refresh reduction: disabled
   Authentication: enabled
     Key:         11223344
     Type:        sha-1
     Window size: 2
     Challenge:   enabled 

In the preceding example, the authentication key appears in clear text. If you enter the key-config-key 1 string command, the key appears encrypted, as in the following example:

Router# show ip rsvp interface detail

 Et0/0:
   Bandwidth:
     Curr allocated: 0 bits/sec
Max. allowed (total): 7500K bits/sec
     Max. allowed (per flow): 7500K bits/sec
     Max. allowed for LSP tunnels using sub-pools: 0 bits/sec
     Set aside by policy (total): 0 bits/sec
   Neighbors:
     Using IP encap: 0.  Using UDP encap: 0
   Signalling:
     Refresh reduction: disabled
   Authentication: enabled
     Key:         <encrypted>
     Type:        sha-1
     Window size: 2
     Challenge:   enabled

In the following output, notice the authentication key changes from encrypted to clear text after the no key config-key 1 command is issued:

Router# show run int e0/0

Building configuration...

Current configuration :247 bytes
!
interface Ethernet0/0
 ip address 192.168.101.2 255.255.255.0
 no ip directed-broadcast
 ip pim dense-mode
 no ip mroute-cache
 no cdp enable
 ip rsvp bandwidth 7500 7500
 ip rsvp authentication key 7>70>9:7<872>?74
 ip rsvp authentication
end
Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# no key config-key 1 

Router(config)# end
Router# show run
*Jan 30  08:02:09.559:%SYS-5-CONFIG_I:Configured from console by console
int e0/0
Building configuration...

Current configuration :239 bytes
!
interface Ethernet0/0
 ip address 192.168.101.2 255.255.255.0
 no ip directed-broadcast
 ip pim dense-mode
 no ip mroute-cache
 no cdp enable
 ip rsvp bandwidth 7500 7500
 ip rsvp authentication key 11223344
 ip rsvp authentication
end

Additional References

For additional information related to the RSVP Message Authentication feature, refer to the following references:

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Related Documents

Related Topic
Document Title

RSVP commands: complete command syntax, command mode, defaults, usage guidelines, and examples

Cisco IOS Release 12.0 Quality of Service Solutions Command Reference

QoS features including signaling, classification, and congestion management

Cisco IOS Release 12.0 Quality of Service Solutions Configuration Guide

Error messages

Cisco IOS Software System Error Messages


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing standards has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs 1
Title

RFC 1321

The MD5 Message Digest Algorithm

RFC 2104

HMAC: Keyed-Hashing for Messaging Authentication

RFC 2205

Resource Reservation Protocol

RFC 2209

RSVP—Version 1 Message Processing Rules

RFC 2401

Security Architecture for the Internet Protocol

RFC 2747

RSVP Cryptographic Authentication

RFC 3174

US Secure Hash Algorithm 1 (SHA1)

1 Not all supported RFCs are listed.


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

There are no new or modified commands for this feature in this release. All the commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.

Glossary

admission control—The process in which an RSVP reservation is accepted or rejected based on end-to-end available network resources.

bandwidth—The difference between the highest and lowest frequencies available for network signals. The term also is used to describe the rated throughput capacity of a given network medium or protocol.

DMZ—demilitarized zone. The neutral zone between public and corporate networks.

flow—A stream of data traveling between two endpoints across a network (for example, from one LAN station to another). Multiple flows can be transmitted on a single circuit.

key—A data string that is combined with source data according to an algorithm to produce output that is unreadable until decrypted.

QoS—quality of service. A measure of performance for a transmission system that reflects its transmission quality and service availability.

router—A network layer device that uses one or more metrics to determine the optimal path along which network traffic should be forwarded. Routers forward packets from one network to another based on network layer information.

RSVP—Resource Reservation Protocol. A protocol that supports the reservation of resources across an IP network. Applications running on IP end systems can use RSVP to indicate to other nodes the nature (bandwidth, jitter, maximum burst, and so on) of the packet streams they want to receive.

security association—A block of memory used to hold all the information RSVP needs to authenticate RSVP signaling messages from a specific RSVP neighbor.

spoofing—The act of a packet illegally claiming to be from an address from which it was not actually sent. Spoofing is designed to foil network security mechanisms, such as filters and access lists.

trusted neighbor—A router with authorized access to information.

VoIP—Voice over IP. The ability to carry normal telephony-style voice over an IP-based Internet maintaining telephone-like functionality, reliability, and voice quality.


Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.