Table of Contents
Advertisement
MPLS Guide
When TCP MD5 authentication is enabled on a session, every TCP segment
exchanged with the peer includes a TCP option (19) containing a 16-byte MD5 digest
of the segment (more specifically the TCP/IP pseudo-header, TCP header, and TCP
data). The MD5 digest is generated and validated using an authentication key that
must be known to both sides. If the received digest value is different from the locally
computed one, the TCP segment is dropped, thereby protecting the router from a
spoofed TCP segment.
The TCP Enhanced Authentication Option, as specified in draft-bonica-tcpauth-
05.txt, Authentication for TCP-based Routing and Management Protocols, is a TCP
extension that enhances security for LDP, BGP, and other TCP-based protocols. It
extends the MD5 authentication option to include the ability to change keys in an LDP
or BGP session seamlessly without tearing down the session, and allows for stronger
authentication algorithms to be used. It is intended for applications where secure
administrative access to both endpoints of the TCP connection is normally available.
TCP peers can use this extension to authenticate messages passed between one
another. This strategy improves upon the practice described in RFC 2385, Protection
of BGP Sessions via the TCP MD5 Signature Option. Using this new strategy, TCP
peers can update authentication keys during the lifetime of a TCP connection. TCP
peers can also use stronger authentication algorithms to authenticate routing
messages.
TCP enhanced authentication uses keychains that are associated with every
protected TCP connection.
Keychains are configured in the config>system>security>keychain context. For
more information about configuring keychains, refer to the 7705 SAR System
Management Guide, "TCP Enhanced Authentication and Keychain Authentication".
3HE 18686 AAAB TQZZA
© 2022 Nokia.
Use subject to Terms available at: www.nokia.com
Label Distribution Protocol
395
Advertisement
Table of Contents
