Beginning with JUNOS Release
9.6, you can configure authentication for BFD sessions running over
RIP. Only three steps are needed to configure authentication on a
BFD session:
Specify the BFD authentication algorithm for the RIP protocol.
Associate the authentication keychain with the RIP protocol.
Configure the related security authentication keychain.
The following sections provide instructions for configuring
and viewing BFD authentication on RIP:
BFD authentication can be configured for the
entire RIP protocol, or a specific RIP group, neighbor, or routing
instance.
To configure BFD authentication:
Specify the algorithm (keyed-md5, keyed-sha-1, meticulous-keyed-md5, meticulous-keyed-sha-1, or simple-password) to use.
[edit]
user@host# set protocols rip bfd-liveness-detection
authentication algorithm keyed-sha-1
user@host# set protocols rip group rip-gr2
bfd-liveness-detection authentication algorithm keyed-sha-1
user@host# set protocols rip group rip-gr2
neighbor 10.10.32.7 bfd-liveness-detection authentication algorithm
keyed-sha-1
Note:
Nonstop active routing (NSR) is not supported with meticulous-keyed-md5
and meticulous-keyed-sha-1 authentication algorithms. BFD sessions
using these algortihms may go down after a switchover.
Specify the keychain
to be used to associate BFD sessions on RIP with the unique security
authentication keychain attributes. The keychain you specify must
match a keychain name configured at the [edit security authentication
key-chains] hierarchy level.
[edit]
user@host# set protocols rip bfd-liveness-detection
authentication keychain bfd-rip
user@host# set protocols rip group rip-gr2
bfd-liveness-detection authentication keychain bfd-rip
user@host# set protocols rip group rip-gr2
neighbor 10.10.32.7 bfd-liveness-detection authentication keychain
bfd-rip
Note:
The algorithm and keychain must be configured on both
ends of the BFD session, and they must match. Any mismatch in configuration
prevents the BFD session from being created.
Specify the unique security authentication information
for BFD sessions:
The matching key-chain-name as specified
in Step Step 2.
At least one key, a unique integer
between 0 and 63. Creating multiple keys allows
multiple clients to use the BFD session.
The secret-data used to allow access
to the session.
The time at which the authentication key becomes active, yyyy-mm-dd.hh:mm:ss.
(Optional) Specify loose authentication
checking if you are transitioning from nonauthenticated sessions to
authenticated sessions.
[edit]
user@host> set protocols rip bfd-liveness-detection
authentication loose-check
user@host> set protocols rip group rip-gr2
bfd-liveness-detection authentication loose-check
user@host> set protocols rip group rip-gr2
neighbor 10.10.32.7 bfd-liveness-detection authentication loose-check
(Optional) View your configuration using
the show bfd session detail or show bfd session extensive command.
Repeat these steps to configure the other end of
the BFD session.
Note:
BFD authentication is only supported in the domestic image
and is not available in the export image.
Viewing Authentication Information for BFD Sessions
You can view the existing BFD authentication configuration
using the show bfd session detail and show bfd session
extensive commands.
The following example shows BFD authentication configured for
the rip-gr2 BGP group. It specifies the keyed SHA-1 authentication
algorithm and a keychain name of bfd-rip. The authentication
keychain is configured with two keys. Key 1 contains the
secret data “$9$ggaJDmPQ6/tJgF/AtREVsyPsnCtUHm”
and a start time of June 1, 2009 at 9:46:02 AM PST. Key 2 contains the secret data “$9$a5jiKW9l.reP38ny.TszF2/9” and a start time of June 1, 2009 at 3:29:20 PM PST.
[edit protocols rip]
group rip-gr2 {
bfd-liveness-detection {
authentication {
algorithm keyed-sha-1;
key-chain bfd-rip;
}
}
}
[edit security]
authentication key-chains {
key-chain bfd-rip {
key 1 {
secret “$9$ggaJDmPQ6/tJgF/AtREVsyPsnCtUHm”;
start-time “2009-6-1.09:46:02 -0700”;
}
key 2 {
secret “$9$a5jiKW9l.reP38ny.TszF2/9”;
start-time “2009-6-1.15:29:20 -0700”;
}
}
}
If you commit these updates to your configuration,
you would see output similar to the following. In the output for the show bfd sessions detail command, Authenticate is displayed
to indicate that BFD authentication is configured. For more information
about the configuration, use the show bfd sessions extensive command. The output for this command provides the keychain name,
the authentication algorithm and mode for each client in the session,
and the overall BFD authentication configuration status, keychain
name, and authentication algorithm and mode.
show bfd sessions detail
user@host# show bfd session detail
Detect Transmit
Address State Interface Time Interval Multiplier
50.0.0.2 Up ge-0/1/5.0 0.900 0.300 3
Client RIP, TX interval 0.300, RX interval 0.300, Authenticate
Session up time 3d 00:34
Local diagnostic None, remote diagnostic NbrSignal
Remote state Up, version 1
Replicated
show bfd sessions extensive
user@host# show bfd session extensive
Detect Transmit
Address State Interface Time Interval Multiplier
50.0.0.2 Up ge-0/1/5.0 0.900 0.300 3
Client RIP, TX interval 0.300, RX interval 0.300, Authenticatekeychain bfd-rip, algo keyed-sha-1, mode strict
Session up time 00:04:42
Local diagnostic None, remote diagnostic NbrSignal
Remote state Up, version 1
Replicated
Min async interval 0.300, min slow interval 1.000
Adaptive async TX interval 0.300, RX interval 0.300
Local min TX interval 0.300, minimum RX interval 0.300, multiplier 3
Remote min TX interval 0.300, min RX interval 0.300, multiplier 3
Local discriminator 2, remote discriminator 2
Echo mode disabled/inactive
Authentication enabled/active, keychain bfd-rip, algo keyed-sha-1, mode strict
