Configuring PIM and the Bidirectional Forwarding Detection (BFD) Protocol
Understanding Bidirectional Forwarding Detection Authentication for PIM
Bidirectional Forwarding Detection (BFD) enables rapid detection of communication failures between adjacent systems. By default, authentication for BFD sessions is disabled. However, when you run BFD over Network Layer protocols, the risk of service attacks can be significant. We strongly recommend using authentication if you are running BFD over multiple hops or through insecure tunnels.
Beginning with Junos OS Release 9.6, Junos OS supports authentication for BFD sessions running over PIM. BFD authentication is only supported in the Canada and United States version of the Junos OS image and is not available in the export version.
You authenticate BFD sessions by specifying an authentication algorithm and keychain, and then associating that configuration information with a security authentication keychain using the keychain name.
The following sections describe the supported authentication algorithms, security keychains, and level of authentication that can be configured:
BFD Authentication Algorithms
Junos OS supports the following algorithms for BFD authentication:
simple-password—Plain-text password. One to 16 bytes of plain text are used to authenticate the BFD session. One or more passwords can be configured. This method is the least secure and should be used only when BFD sessions are not subject to packet interception.
keyed-md5—Keyed Message Digest 5 hash algorithm for sessions with transmit and receive intervals greater than 100 ms. To authenticate the BFD session, keyed MD5 uses one or more secret keys (generated by the algorithm) and a sequence number that is updated periodically. With this method, packets are accepted at the receiving end of the session if one of the keys matches and the sequence number is greater than or equal to the last sequence number received. Although more secure than a simple password, this method is vulnerable to replay attacks. Increasing the rate at which the sequence number is updated can reduce this risk.
meticulous-keyed-md5—Meticulous keyed Message Digest 5 hash algorithm. This method works in the same manner as keyed MD5, but the sequence number is updated with every packet. Although more secure than keyed MD5 and simple passwords, this method might take additional time to authenticate the session.
keyed-sha-1—Keyed Secure Hash Algorithm I for sessions with transmit and receive intervals greater than 100 ms. To authenticate the BFD session, keyed SHA uses one or more secret keys (generated by the algorithm) and a sequence number that is updated periodically. The key is not carried within the packets. With this method, packets are accepted at the receiving end of the session if one of the keys matches and the sequence number is greater than the last sequence number received.
meticulous-keyed-sha-1—Meticulous keyed Secure Hash Algorithm I. This method works in the same manner as keyed SHA, but the sequence number is updated with every packet. Although more secure than keyed SHA and simple passwords, this method might take additional time to authenticate the session.
Nonstop active routing (NSR) is not supported with meticulous-keyed-md5 and meticulous-keyed-sha-1 authentication algorithms. BFD sessions using these algorithms might go down after a switchover.
Security Authentication Keychains
The security authentication keychain defines the authentication attributes used for authentication key updates. When the security authentication keychain is configured and associated with a protocol through the keychain name, authentication key updates can occur without interrupting routing and signaling protocols.
The authentication keychain contains one or more keychains. Each keychain contains one or more keys. Each key holds the secret data and the time at which the key becomes valid. The algorithm and keychain must be configured on both ends of the BFD session, and they must match. Any mismatch in configuration prevents the BFD session from being created.
BFD allows multiple clients per session, and each client can have its own keychain and algorithm defined. To avoid confusion, we recommend specifying only one security authentication keychain.
Security Authentication Keychain is not supported on SRX Series Firewalls.
Strict Versus Loose Authentication
By default, strict authentication is enabled, and authentication is checked at both ends of each BFD session. Optionally, to smooth migration from nonauthenticated sessions to authenticated sessions, you can configure loose checking. When loose checking is configured, packets are accepted without authentication being checked at each end of the session. This feature is intended for transitional periods only.
See Also
Configuring BFD for PIM
The Bidirectional Forwarding Detection (BFD) Protocol is a simple hello mechanism that detects failures in a network. BFD works with a wide variety of network environments and topologies. A pair of routing devices exchanges BFD packets. Hello packets are sent at a specified, regular interval. A neighbor failure is detected when the routing device stops receiving a reply after a specified interval. The BFD failure detection timers have shorter time limits than the Protocol Independent Multicast (PIM) hello hold time, so they provide faster detection.
The BFD failure detection timers are adaptive
and can be adjusted to be faster or slower. The lower the BFD failure
detection timer value, the faster the failure detection and vice versa.
For example, the timers can adapt to a higher value if the adjacency
fails (that is, the timer detects failures more slowly). Or a neighbor
can negotiate a higher value for a timer than the configured value.
The timers adapt to a higher value when a BFD session flap occurs
more than three times in a span of 15 seconds. A back-off algorithm
increases the receive (Rx) interval by two if the local BFD instance
is the reason for the session flap. The transmission (Tx) interval
is increased by two if the remote BFD instance is the reason for the
session flap. You can use the clear bfd adaptation command
to return BFD interval timers to their configured values. The clear bfd adaptation command is hitless, meaning that the command
does not affect traffic flow on the routing device.
You must specify the minimum transmit and minimum receive intervals to enable BFD on PIM.
To enable failure detection:
See Also
Configuring BFD Authentication for PIM
Specify the BFD authentication algorithm for the PIM protocol.
Associate the authentication keychain with the PIM protocol.
Configure the related security authentication keychain.
Beginning with Junos OS Release 9.6, you can configure authentication for Bidirectional Forwarding Detection (BFD) sessions running over Protocol Independent Multicast (PIM). Routing instances are also supported.
The following sections provide instructions for configuring and viewing BFD authentication on PIM:
Configuring BFD Authentication Parameters
BFD authentication is only supported in the Canada and United States version of the Junos OS image and is not available in the export version.
To configure BFD authentication:
Viewing Authentication Information for BFD Sessions
You can view the existing BFD authentication configuration by
using the show bfd session detail and show bfd session
extensive commands.
The following example shows BFD authentication configured for the ge-0/1/5 interface. It specifies the keyed SHA-1 authentication algorithm and a keychain name of bfd-pim. The authentication keychain is configured with two keys. Key 1 contains the secret data “$ABC123/” and a start time of June 1, 2009, at 9:46:02 AM PST. Key 2 contains the secret data “$ABC123/” and a start time of June 1, 2009, at 3:29:20 PM PST.
[edit protocols pim]
interface ge-0/1/5 {
family inet {
bfd-liveness-detection {
authentication {
key-chain bfd-pim;
algorithm keyed-sha-1;
}
}
}
}
[edit security]
authentication key-chains {
key-chain bfd-pim {
key 1 {
secret “$ABC123/”;
start-time “2009-6-1.09:46:02 -0700”;
}
key 2 {
secret “$ABC123/”;
start-time “2009-6-1.15:29:20 -0700”;
}
}
}
If you commit these updates to your configuration, you see output
similar to the following example. In the output for the show
bfd session detail command, Authenticate is displayed
to indicate that BFD authentication is configured. For more information
about the configuration, use the show bfd session extensive command. The output for this command provides the keychain name,
the authentication algorithm and mode for each client in the session,
and the overall BFD authentication configuration status, keychain
name, and authentication algorithm and mode.
show bfd session detail
user@host# show bfd session detail
Detect Transmit
Address State Interface Time Interval Multiplier
192.0.2.2 Up ge-0/1/5.0 0.900 0.300 3
Client PIM, TX interval 0.300, RX interval 0.300, Authenticate
Session up time 3d 00:34
Local diagnostic None, remote diagnostic NbrSignal
Remote state Up, version 1
Replicated
show bfd session extensive
user@host# show bfd session extensive
Detect Transmit
Address State Interface Time Interval Multiplier
192.0.2.2 Up ge-0/1/5.0 0.900 0.300 3
Client PIM, TX interval 0.300, RX interval 0.300, Authenticate
keychain bfd-pim, algo keyed-sha-1, mode strict
Session up time 00:04:42
Local diagnostic None, remote diagnostic NbrSignal
Remote state Up, version 1
Replicated
Min async interval 0.300, min slow interval 1.000
Adaptive async TX interval 0.300, RX interval 0.300
Local min TX interval 0.300, minimum RX interval 0.300, multiplier 3
Remote min TX interval 0.300, min RX interval 0.300, multiplier 3
Local discriminator 2, remote discriminator 2
Echo mode disabled/inactive
Authentication enabled/active, keychain bfd-pim, algo keyed-sha-1, mode strict
Example: Configuring BFD Liveness Detection for PIM IPv6
This example shows how to configure Bidirectional Forwarding Detection (BFD) liveness detection for IPv6 interfaces configured for the Protocol Independent Multicast (PIM) topology. BFD is a simple hello mechanism that detects failures in a network.
The following steps are needed to configure BFD liveness detection:
Configure the interface.
Configure the related security authentication keychain.
Specify the BFD authentication algorithm for the PIM protocol.
Configure PIM, associating the authentication keychain with the desired protocol.
Configure BFD authentication for the routing instance.
You must perform these steps on both ends of the BFD session.
Requirements
This example uses the following hardware and software components:
Two peer routers.
Junos OS 12.2 or later.
Overview
In this example. Device R1 and Device R2 are peers. Each router runs PIM, connected over a common medium.
Topology
Figure 1 shows the topology used in this example.
Assume that the routers initialize. No BFD session is yet established. For each router, PIM informs the BFD process to monitor the IPv6 address of the neighbor that is configured in the routing protocol. Addresses are not learned dynamically and must be configured.
Configure the IPv6 address and BFD liveness detection at the [edit protocols pim] hierarchy level for each router.
[edit protocols pim] user@host# set interface interface-name family inet6 bfd-liveness-detection
Configure BFD liveness detection for the routing instance at the [edit routing-instancesinstance-name protocols pim interface all family inet6] hierarchy level (here, the instance-name is instance1:
[edit routing-instances instance1 protocols pim] user@host# set bfd-liveness-detection
You will also configure the authentication algorithm and authentication keychain values for BFD.
In a BFD-configured network, when a client launches a BFD session with a peer, BFD begins sending slow, periodic BFD control packets that contain the interval values that you specified when you configured the BFD peers. This is known as the initialization state. BFD does not generate any up or down notifications in this state. When another BFD interface acknowledges the BFD control packets, the session moves into an up state and begins to more rapidly send periodic control packets. If a data path failure occurs and BFD does not receive a control packet within the configured amount of time, the data path is declared down and BFD notifies the BFD client. The BFD client can then perform the necessary actions to reroute traffic. This process can be different for different BFD clients.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Device R1
set interfaces ge-0/1/5 unit 0 description toRouter2 set interfaces ge-0/1/5 unit 0 family inet6 set interfaces ge-0/1/5 unit 0 family inet6 address e80::21b:c0ff:fed5:e4dd set protocols pim interface ge-0/1/5 family inet6 bfd-liveness-detection authentication algorithm keyed-sha-1 set protocols pim interface ge-0/1/5 family inet6 bfd-liveness-detection authentication key-chain bfd-pim set routing-instances instance1 protocols pim interface all family inet6 bfd-liveness-detection authentication algorithm keyed-sha-1 set routing-instances instance1 protocols pim interface all family inet6 bfd-liveness-detection authentication key-chain bfd-pim set security authentication key-chain bfd-pim key 1 secret "v" set security authentication key-chain bfd-pim key 1 start-time "2012-01-01.09:46:02 -0700" set security authentication key-chain bfd-pim key 2 secret "$ABC123abc123" set security authentication key-chain bfd-pim key 2 start-time "2012-01-01.15:29:20 -0700"
Device R2
set interfaces ge-1/1/0 unit 0 description toRouter1 set interfaces ge-1/1/0 unit 0 family inet6 address e80::21b:c0ff:fed5:e5dd set protocols pim interface ge-1/1/0 family inet6 bfd-liveness-detection authentication algorithm keyed-sha-1 set protocols pim interface ge-1/1/0 family inet6 bfd-liveness-detection authentication key-chain bfd-pim set routing-instances instance1 protocols pim interface all family inet6 bfd-liveness-detection authentication algorithm keyed-sha-1 set routing-instances instance1 protocols pim interface all family inet6 bfd-liveness-detection authentication key-chain bfd-pim set security authentication key-chain bfd-pim key 1 secret "$ABC123abc123" set security authentication key-chain bfd-pim key 1 start-time "2012-01-01.09:46:02 -0700" set security authentication key-chain bfd-pim key 2 secret "$ABC123abc123" set security authentication key-chain bfd-pim key 2 start-time "2012-01-01.15:29:20 -0700"
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure BFD liveness detection for PIM IPv6 interfaces on Device R1:
This procedure is for Device R1. Repeat this procedure for Device R2, after modifying the appropriate interface names, addresses, and any other parameters.
Configure the interface, using the
inet6statement to specify that this is an IPv6 address.[edit interfaces] user@R1# set ge-0/1/5 unit 0 description toRouter2 user@R1# set ge-0/1/5 unit 0 family inet6 address e80::21b:c0ff:fed5:e4dd
Specify the BFD authentication algorithm and keychain for the PIM protocol.
The keychain is used to associate BFD sessions on the specified PIM route or routing instance with the unique security authentication keychain attributes. This keychain name should match the keychain name configured at the
[edit security authentication]hierarchy level.[edit protocols] user@R1# set pim interface ge-0/1/5.0 family inet6 bfd-liveness-detection authentication algorithm keyed-sha-1 user@R1# set pim interface ge-0/1/5 family inet6 bfd-liveness-detection authentication key-chain bfd-pim
Note:The algorithm and keychain must be configured on both ends of the BFD session, and they must match. Any mismatch in configuration prevents the BFD session from being created.
Configure a routing instance (here, instance1), specifying BFD authentication and associating the security authentication algorithm and keychain.
[edit routing-instances] user@R1# set instance1 protocols pim interface all family inet6 bfd-liveness-detection authentication algorithm keyed-sha-1 user@R1# set instance1 protocols pim interface all family inet6 bfd-liveness-detection authentication key-chain bfd-pim
Specify the unique security authentication information for BFD sessions:
The matching keychain name as specified in Step 2.
At least one key, a unique integer between 0 and 63. Creating multiple keys allows multiple clients to use the BFD session.
The secret data used to allow access to the session.
The time at which the authentication key becomes active, in the format YYYY-MM-DD.hh:mm:ss.
[edit security authentication] user@R1# set key-chain bfd-pim key 1 secret "$ABC123abc123" user@R1# set key-chain bfd-pim key 1 start-time "2012-01-01.09:46:02 -0700" user@R1# set key-chain bfd-pim key 2 secret "$ABC123abc123" user@R1# set key-chain bfd-pim key 2 start-time "2012-01-01.15:29:20 -0700"
Results
Confirm your configuration by issuing the show
interfaces, show protocols, show routing-instances, and show security commands. If the output does not display
the intended configuration, repeat the instructions in this example
to correct the configuration.
user@R1# show interfaces
ge-0/1/5 {
unit 0 {
description toRouter2;
family inet6 {
address e80::21b:c0ff:fed5:e4dd {
}
}
}
}
user@R1# show protocols
pim {
interface ge-0/1/5.0 {
family inet6;
bfd-liveness-detection {
authentication {
algorithm keyed-sha-1;
key-chain bfd-pim;
}
}
}
}
user@R1# show routing-instances
instance1 {
protocols {
pim {
interface all {
family inet6 {
bfd-liveness-detection {
authentication {
algorithm keyed-sha-1;
key-chain bfd-pim;
}
}
}
}
}
}
}
user@R1# show security
authentication {
key-chain bfd-pim {
key 1 {
secret “$ABC123abc123”;
start-time “2012-01-01.09:46:02 -0700”;
}
key 2 {
secret “$ABC123abc123”;
start-time “2012-01-01.15:29:20 -0700”;
}
}
}
Verification
Confirm that the configuration is working properly.
Verifying the BFD Session
Purpose
Verify that BFD liveness detection is enabled.
Action
user@R1# run show pim neighbors detail
Instance: PIM.master
Interface: ge-0/1/5.0
Address: fe80::21b:c0ff:fed5:e4dd, IPv6, PIM v2, Mode: Sparse, sg Join Count: 0, tsg Join Count: 0
Hello Option Holdtime: 65535 seconds
Hello Option DR Priority: 1
Hello Option Generation ID: 1417610277
Hello Option LAN Prune Delay: delay 500 ms override 2000 ms
Join Suppression supported
Address: fe80::21b:c0ff:fedc:28dd, IPv6, PIM v2, sg Join Count: 0, tsg Join Count: 0
Secondary address: beef::2
BFD: Enabled, Operational state: Up
Hello Option Holdtime: 105 seconds 80 remaining
Hello Option DR Priority: 1
Hello Option Generation ID: 1648636754
Hello Option LAN Prune Delay: delay 500 ms override 2000 ms
Join Suppression supportedMeaning
The display from the show pim neighbors detail command shows BFD: Enabled, Operational state: Up, indicating
that BFD is operating between the two PIM neighbors. For additional
information about the BFD session (including the session ID number),
use the show bfd session extensive command.