[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring the MSDP Authentication Key

By default, multicast routers accept and process any properly formatted MSDP messages from the configured peer address. This default behavior might violate the security policies in many organizations because MSDP messages by definition come from another routing domain beyond the control of the security practices of the multicast router's organization.

The router can authenticate MSDP messages using the TCP message digest 5 (MD5) signature option for MSDP peering sessions. This authentication provides protection against spoofed packets being introduced into an MSDP peering session. Two organizations implementing MSDP authentication must decide on a human-readable key on both peers. This key is included in the MD5 signature computation for each MSDP segment sent between the two peers.

You configure an MSDP authentication key on a per-peer basis, whether the MSDP peer is defined in a group or individually. If you configure different authentication keys for the same peer at the [edit protocols msdp] and [edit protocols msdp group] hierarchy levels, the authentication key configured at the [edit protocols msdp] hierarchy level is used.

To configure MSDP authentication keys on the router, include the authentication-key statement:

authentication-key peer-key;

For a list of the hierarchy levels at which you can include this statement, see the statement summary section for this statement.

The peer key can be a text string up to 16 letters and digits long. Strings can include any ASCII characters with the exception of (,), &, and [. If you include spaces in an MSDP authentication key, enclose all characters in quotation marks (“ ”).

The following example configures the MSDP authentication key grandmother for MSDP peer 10.0.0.1, and the MSDP authentication keys New York and phoenix5 for peers 172.16.0.1 and 192.168.0.1 in MSDP group msdp-one:

msdp {
group msdp-one {
peer 171.16.0.1 {
authentication-key "New York";
local-address 10.100.0.2;
}
peer 192.168.0.1 {
authentication-key phoenix5;
local-address 10.100.0.2;
}
peer 10.0.0.1 {
authentication-key grandmother;
local-address 10.100.0.2;
}
}
}

Adding, removing, or changing an MSDP authentication key in a peering session resets the existing MSDP session and establishes a new session between the affected MSDP peers. This immediate session termination prevents excessive retransmissions and eventual session timeouts due to mismatched keys.

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.