Technical Documentation

Configuring BFD Authentication for RIP

Beginning with JUNOS Release 9.6, you can configure authentication for BFD sessions running over RIP. Only three steps are needed to configure authentication on a BFD session:

  1. Specify the BFD authentication algorithm for the RIP protocol.
  2. Associate the authentication keychain with the RIP protocol.
  3. Configure the related security authentication keychain.

The following sections provide instructions for configuring and viewing BFD authentication on RIP:

Configuring BFD Authentication Parameters

BFD authentication can be configured for the entire RIP protocol, or a specific RIP group, neighbor, or routing instance.

To configure BFD authentication:

  1. Specify the algorithm (keyed-md5, keyed-sha-1, meticulous-keyed-md5, meticulous-keyed-sha-1, or simple-password) to use.
    [edit]user@host# set protocols rip bfd-liveness-detection authentication algorithm keyed-sha-1user@host# set protocols rip group rip-gr2 bfd-liveness-detection authentication algorithm keyed-sha-1user@host# set protocols rip group rip-gr2 neighbor 10.10.32.7 bfd-liveness-detection authentication algorithm keyed-sha-1

    Note: Nonstop active routing (NSR) is not supported with meticulous-keyed-md5 and meticulous-keyed-sha-1 authentication algorithms. BFD sessions using these algorithms may go down after a switchover.

  2. Specify the keychain to be used to associate BFD sessions on RIP with the unique security authentication keychain attributes. The keychain you specify must match a keychain name configured at the [edit security authentication key-chains] hierarchy level.
    [edit]user@host# set protocols rip bfd-liveness-detection authentication keychain bfd-ripuser@host# set protocols rip group rip-gr2 bfd-liveness-detection authentication keychain bfd-ripuser@host# set protocols rip group rip-gr2 neighbor 10.10.32.7 bfd-liveness-detection authentication keychain bfd-rip

    Note: The algorithm and keychain must be configured on both ends of the BFD session, and they must match. Any mismatch in configuration prevents the BFD session from being created.

  3. Specify the unique security authentication information for BFD sessions:
    • The matching key-chain-name as specified in Step 2.
    • At least one key, a unique integer between 0 and 63. Creating multiple keys allows multiple clients to use the BFD session.
    • The secret-data used to allow access to the session.
    • The time at which the authentication key becomes active, yyyy-mm-dd.hh:mm:ss.
    [edit security]user@host# authentication-key-chains key-chain bfd-bgp key 53 secret $9$ggaJDmPQ6/tJgF/AtREVsyPsnCtUHm start-time 2009-06-14.10:00:00
  4. (Optional) Specify loose authentication checking if you are transitioning from nonauthenticated sessions to authenticated sessions.
    [edit]user@host> set protocols rip bfd-liveness-detection authentication loose-checkuser@host> set protocols rip group rip-gr2 bfd-liveness-detection authentication loose-checkuser@host> set protocols rip group rip-gr2 neighbor 10.10.32.7 bfd-liveness-detection authentication loose-check
  5. (Optional) View your configuration using the show bfd session detail or show bfd session extensive command.
  6. Repeat these steps to configure the other end of the BFD session.

Note: BFD authentication is only supported in the domestic image and is not available in the export image.

Viewing Authentication Information for BFD Sessions

You can view the existing BFD authentication configuration using the show bfd session detail and show bfd session extensive commands.

The following example shows BFD authentication configured for the rip-gr2 BGP group. It specifies the keyed SHA-1 authentication algorithm and a keychain name of bfd-rip. The authentication keychain is configured with two keys. Key 1 contains the secret data “$9$ggaJDmPQ6/tJgF/AtREVsyPsnCtUHm” and a start time of June 1, 2009 at 9:46:02 AM PST. Key 2 contains the secret data “$9$a5jiKW9l.reP38ny.TszF2/9” and a start time of June 1, 2009 at 3:29:20 PM PST.

[edit protocols rip]group rip-gr2 {bfd-liveness-detection {authentication {algorithm keyed-sha-1;key-chain bfd-rip;}}}[edit security]authentication key-chains {key-chain bfd-rip {key 1 {secret “$9$ggaJDmPQ6/tJgF/AtREVsyPsnCtUHm”;start-time “2009-6-1.09:46:02 -0700”;}key 2 {secret “$9$a5jiKW9l.reP38ny.TszF2/9”;start-time “2009-6-1.15:29:20 -0700”;}}}

If you commit these updates to your configuration, you would see output similar to the following. In the output for the show bfd sessions detail command, Authenticate is displayed to indicate that BFD authentication is configured. For more information about the configuration, use the show bfd sessions extensive command. The output for this command provides the keychain name, the authentication algorithm and mode for each client in the session, and the overall BFD authentication configuration status, keychain name, and authentication algorithm and mode.

show bfd sessions detail

user@host# show bfd session detail 

                                                  Detect   Transmit
Address                  State     Interface      Time     Interval  Multiplier
50.0.0.2                 Up        ge-0/1/5.0     0.900     0.300        3   
 Client RIP, TX interval 0.300, RX interval 0.300, Authenticate 
 Session up time 3d 00:34
 Local diagnostic None, remote diagnostic NbrSignal
 Remote state Up, version 1
 Replicated 

show bfd sessions extensive

user@host# show bfd session extensive    
                                                  Detect   Transmit
Address                  State     Interface      Time     Interval  Multiplier
50.0.0.2                 Up        ge-0/1/5.0     0.900     0.300        3   
 Client RIP, TX interval 0.300, RX interval 0.300, Authenticate   
        keychain bfd-rip, algo keyed-sha-1, mode strict   
 Session up time 00:04:42
 Local diagnostic None, remote diagnostic NbrSignal
 Remote state Up, version 1
 Replicated 
 Min async interval 0.300, min slow interval 1.000
 Adaptive async TX interval 0.300, RX interval 0.300
 Local min TX interval 0.300, minimum RX interval 0.300, multiplier 3
 Remote min TX interval 0.300, min RX interval 0.300, multiplier 3
 Local discriminator 2, remote discriminator 2
 Echo mode disabled/inactive
 Authentication enabled/active, keychain bfd-rip, algo keyed-sha-1, mode strict  

Published: 2010-04-14