Usage Guidelines
If you omit the optional keywords, the iprsvpauthenticationneighbor command enables RSVP cryptographic authentication for a neighbor. Using the optional keywords inherits the global defaults.
In order to enable per-neighbor authentication, you must issue the iprsvpauthenticationneighbor command (or the noiprsvpauthenticationneighbor command to disable authentication
). If you issue the iprsvpauthentication command without neighbor ,
then this command enables authentication for all neighbors and interfaces, regardless of whether there are any per-neighbor
or per-interface keys defined. If you issue the iprsvpauthenticationneighbor command
, then authentication is enabled only for that neighbor.
Access Control Lists
A single ACL can describe all the physical and logical interfaces that one neighbor can use to receive RSVP messages from
a router; this can be useful when multiple routes exist between two neighbors. One ACL could also specify a number of different
neighbors who, along with your router, will share the same key(s); however, this is generally not considered to be good network
security practice.
If numbered, the ACL must be in the 1 to 99 range or the 1300 to 1999 range, giving a total of 798 numbered ACLs that can
be used to configure neighbor keys (assuming some of them are not being used for other purposes). There is no enforced limit
on the number of standard named IP ACLs. The IP addresses used in the ACL should contain at least the neighbor’s physical
interface addresses; router ID addresses can be added if necessary, especially when using Multi-Protocol Label Switching (MPLS)
Traffic Engineering (TE).
The existingipaccess-liststandard command must be used for creating named or numbered standard IP ACLs for RSVP neighbors because standard ACLs deal with just
source or destination addresses while extended ACLs deal with five tuples and are more complex to configure. The RSVP CLI
returns an error message if any type of ACL other than standard is specified:
Router(config)# ip rsvp authentication neighbor access-list 10 key-chain wednesday
% Invalid access list name.
RSVP error: unable to find/create ACL
Named standard IP ACLs are also recommended because you can include the neighbor router’s hostname as part of the ACL name,
thereby making it easy to identify the per-neighbor ACLs in your router configuration.
The RSVP CLI displays an error message if a valid named or numbered ACL is specified, but a nonexistent or invalid key chain
has not been associated with it, since the lack of a key chain could cause RSVP messages to or from that neighbor to be dropped:
Router(config)# ip rsvp authentication neighbor access-list myneighbor key-chain xyz
RSVP error: Invalid argument(s)
Key Chains
In the key-chain parameter, the keys are used in order of ascending expiration deadlines. The only restriction on the name
is that it cannot contain spaces. The key-chain parameter is optional; that is, you could omit it if you were trying to change
other optional authentication parameters for the RSVP neighbor. However, when searching for a key, RSVP ignores any iprsvpauthenticationneighboraccess-list command that does not include a key-chain parameter that refers to a valid key chain with at least one unexpired key.
Error and Warning Conditions
The RSVP CLI returns an error if any of the key IDs in the chain are duplicates of key IDs in any other chains already assigned
to RSVP; for example,
Router(config)# ip rsvp authentication neighbor access-list myneighbor key-chain abc
RSVP error: key chains abc and xyz contain duplicate key ID 1
RSVP error: Invalid argument(s)
The RSVP CLI returns an error if the specified key chain does not exist or does not contain at least one unexpired key.
If a key chain is properly defined and RSVP later tries to send a message to that neighbor, but cannot find a valid, unexpired
per-neighbor or per-interface key, RSVP generates the RSVP_AUTH_NO_KEYS_LEFT system message indicating that a key could not
be obtained for that neighbor.
If the key chain contains keys with finite expiration times, RSVP generates the RSVP_AUTH_ONE_KEY_EXPIRED message to indicate
when each key has expired.
If RSVP receives a message from a neighbor with the wrong digest type, it generates the RSVP_MSG_AUTH_TYPE_MISMATCH system
message indicating that there is a digest type mismatch with that neighbor.
If RSVP receives a message that is a duplicate of a message already in the window or is outside the window, RSVP logs the
BAD_RSVP_MSG_RCVD_AUTH_DUP or the BAD_RSVP_MSG_RCVD_AUTH_WIN error message indicating that the message sequence number is
invalid.
If a challenge of a neighbor fails or times out, RSVP generates the BAD_RSVP_MSG_RCVD_AUTH_COOKIE system message or the RSVP_MSG_AUTH_CHALLENGE_TIMEOUT
message, indicating that the specified neighbor failed to respond successfully to a challenge.
Examples
The following example shows how to create an access list and a key chain for neighbors V, Y, and Z enable authentication globally
using inheritance for all other authentication parameters:
Router# configure terminal
Router(config)# ip access-list standard neighbor_V
Router(config-std-nacl)# permit 10.0.0.2
Router(config-std-nacl)#
permit 10.1.16.1
Router(config-std-nacl)# exit
Router(config)# ip access-list standard neighbor_Y
Router(config-std-nacl)# permit 10.0.1.2
Router(config-std-nacl)# permit 10.16.0.1
Router(config-std-nacl)# exit
Router(config)# ip access-list standard neighbor_Z
Router(config-std-nacl)# permit 10.16.0.2
Router(config-std-nacl)# permit 10.1.0.2
Router(config-std-nacl)# permit 10.0.1.2
Router(config-std-nacl)#
exit
Router(config)# ip rsvp authentication neighbor access-list neighbor_V key-chain neighbor_V
Router(config)# ip rsvp authentication neighbor access-list neighbor_Y key-chain neighbor_Y
Router(config)# ip rsvp authentication neighbor access-list neighbor_Z key-chain neighbor_Z
Router(config)# ip rsvp authentication
Router(config)# end
The following example shows how to create an access list and a key chain for neighbors V, Y, and Z and and enable the authentication
explicitly for each neighbor:
Router(config)# ip rsvp authentication neighbor access-list neighbor_V key-chain neighbor_V
Router(config)# ip rsvp authentication neighbor access-list neighbor_V
Router(config)# ip rsvp authentication neighbor access-list neighbor_Y key-chain neighbor_Y
Router(config)# ip rsvp authentication neighbor access-list neighbor_Y
Router(config)# ip rsvp authentication neighbor access-list neighbor_Z key-chain neighbor_Z
Router(config)# ip rsvp authentication neighbor access-list neighbor_Z
Router(config)#
end