Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring BFD Authentication for IS-IS

Understanding BFD Authentication for IS-IS

Bidirectional Forwarding Detection (BFD) enables rapid detection of communication failures between adjacent systems. By default, authentication for BFD sessions is disabled. However, when running BFD over Network Layer protocols, the risk of service attacks can be significant. We strongly recommend using authentication if you are running BFD over multiple hops or through insecure tunnels. Beginning with Junos OS Release 9.6, Junos OS supports authentication for BFD sessions running over IS-IS. BFD authentication is only supported in the domestic image and is not available in the export image.

You authenticate BFD sessions by specifying an authentication algorithm and keychain, and then associating that configuration information with a security authentication keychain using the keychain name.

The following sections describe the supported authentication algorithms, security keychains, and level of authentication that can be configured:

• BFD Authentication Algorithms
• Security Authentication Keychains
• Strict Versus Loose Authentication

BFD Authentication Algorithms

• simple-password—Plain-text password. One to 16 bytes of plain text are used to authenticate the BFD session. One or more passwords might be configured. This method is the least secure and should be used only when BFD sessions are not subject to packet interception.
• keyed-md5—Keyed Message Digest 5 hash algorithm for sessions with transmit and receive intervals greater than 100 ms. To authenticate the BFD session, keyed MD5 uses one or more secret keys (generated by the algorithm) and a sequence number that is updated periodically. With this method, packets are accepted at the receiving end of the session if one of the keys matches and the sequence number is greater than or equal to the last sequence number received. Although more secure than a simple password, this method is vulnerable to replay attacks. Increasing the rate at which the sequence number is updated can reduce this risk.
• meticulous-keyed-md5—Meticulous keyed Message Digest 5 hash algorithm. This method works in the same manner as keyed MD5, but the sequence number is updated with every packet. Although more secure than keyed MD5 and simple passwords, this method might take additional time to authenticate the session.
• keyed-sha-1—Keyed Secure Hash Algorithm I for sessions with transmit and receive intervals greater than 100 ms. To authenticate the BFD session, keyed SHA uses one or more secret keys (generated by the algorithm) and a sequence number that is updated periodically. The key is not carried within the packets. With this method, packets are accepted at the receiving end of the session if one of the keys matches and the sequence number is greater than the last sequence number received.
• meticulous-keyed-sha-1—Meticulous keyed Secure Hash Algorithm I. This method works in the same manner as keyed SHA, but the sequence number is updated with every packet. Although more secure than keyed SHA and simple passwords, this method might take additional time to authenticate the session.

Note: Nonstop active routing (NSR) is not supported with meticulous-keyed-md5 and meticulous-keyed-sha-1 authentication algorithms. BFD sessions using these algorithms might go down after a switchover.

Security Authentication Keychains

The security authentication keychain defines the authentication attributes used for authentication key updates. When the security authentication keychain is configured and associated with a protocol through the keychain name, authentication key updates can occur without interrupting routing and signaling protocols.

The authentication keychain contains one or more keychains. Each keychain contains one or more keys. Each key holds the secret data and the time at which the key becomes valid. The algorithm and keychain must be configured on both ends of the BFD session, and they must match. Any mismatch in configuration prevents the BFD session from being created.

BFD allows multiple clients per session, and each client can have its own keychain and algorithm defined. To avoid confusion, we recommend specifying only one security authentication keychain.

Strict Versus Loose Authentication

By default, strict authentication is enabled and authentication is checked at both ends of each BFD session. Optionally, to smooth migration from nonauthenticated sessions to authenticated sessions, you can configure loose checking. When loose checking is configured, packets are accepted without authentication being checked at each end of the session. This feature is intended for transitional periods only.

Configuring BFD Authentication for IS-IS

Beginning with Junos OS Release 9.6, you can configure authentication for BFD sessions running over IS-IS. Routing instances are also supported. Only three steps are needed to configure authentication on a BFD session:

1. Specify the BFD authentication algorithm for the IS-IS protocol.
2. Associate the authentication keychain with the IS-IS protocol.
3. Configure the related security authentication keychain.

The following sections provide instructions for configuring and viewing BFD authentication on IS-IS:

• Configuring BFD Authentication Parameters
• Viewing Authentication Information for BFD Sessions

Configuring BFD Authentication Parameters

1. Specify the algorithm (keyed-md5, keyed-sha-1, meticulous-keyed-md5, meticulous-keyed-sha-1, or simple-password) to use for BFD authentication on an IS-IS route or routing instance.
   [edit]user@host# set protocols isis interface if1-isis bfd-liveness-detection authentication algorithm keyed-sha-1

   Note: Nonstop active routing (NSR) is not supported with the meticulous-keyed-md5 and meticulous-keyed-sha-1 authentication algorithms. BFD sessions using these algorithms might go down after a switchover.

2. Specify the keychain to be used to associate BFD sessions on the specified IS-IS route or routing instance with the unique security authentication keychain attributes.

   This should match the keychain name configured at the [edit security authentication key-chains] hierarchy level.

   [edit]user@host# set protocols isis interface if1-isis bfd-liveness-detection authentication keychain bfd-isis

   Note: The algorithm and keychain must be configured on both ends of the BFD session, and they must match. Any mismatch in configuration prevents the BFD session from being created.

3. Specify the unique security authentication information for BFD sessions:
   • The matching keychain name as specified in Step 2.
   • At least one key, a unique integer between 0 and 63. Creating multiple keys allows multiple clients to use the BFD session.
   • The secret data used to allow access to the session.
   • The time at which the authentication key becomes active, yyyy-mm-dd.hh:mm:ss.
   [edit security]user@host# set authentication-key-chains key-chain bfd-sr4 key 53 secret $9$ggaJDmPQ6/tJgF/AtREVsyPsnCtUHm start-time 2009-06-14.10:00:00
4. (Optional) Specify loose authentication checking if you are transitioning from nonauthenticated sessions to authenticated sessions.
   [edit]user@host> set protocols isis interface if1-isis bfd-liveness-detection authentication loose-check
5. (Optional) View your configuration using the show bfd session detail or show bfd session extensive command.
6. Repeat these steps to configure the other end of the BFD session.

Note: BFD authentication is only supported in the domestic image and is not available in the export image.

Viewing Authentication Information for BFD Sessions

You can view the existing BFD authentication configuration using the show bfd session detail and show bfd session extensive commands.

The following example shows BFD authentication configured for the if1-isis interface. It specifies the keyed SHA-1 authentication algorithm and a keychain name of bfd-isis. The authentication keychain is configured with two keys. Key 1 contains the secret data “$9$ggaJDmPQ6/tJgF/AtREVsyPsnCtUHm” and a start time of June 1, 2009, at 9:46:02 AM PST. Key 2 contains the secret data “$9$a5jiKW9l.reP38ny.TszF2/9” and a start time of June 1, 2009, at 3:29:20 PM PST.

If you commit these updates to your configuration, you see output similar to the following. In the output for the show bfd sessions detail command, Authenticate is displayed to indicate that BFD authentication is configured. For more information about the configuration, use the show bfd sessions extensive command. The output for this command provides the keychain name, the authentication algorithm and mode for each client in the session, and the overall BFD authentication configuration status, keychain name, and authentication algorithm and mode.

user@host# show bfd session detail 

                                                  Detect   Transmit
Address                  State     Interface      Time     Interval  Multiplier
10.9.1.29                 Up        ge-4/0/0.0     0.600     0.200        3   
 Client ISIS L2, TX interval 0.200, RX interval 0.200, multiplier 3, Authenticate 
 Session up time 3d 00:34, previous down time 00:00:01
 Local diagnostic NbrSignal, remote diagnostic AdminDown
 Remote state Up, version 1
 
1 sessions, 1 clients
Cumulative transmit rate 10.0 pps, cumulative receive rate 10.0 pps

user@host# show bfd session extensive    
                                                  Detect   Transmit
Address                  State     Interface      Time     Interval  Multiplier
10.9.1.29            Up        ge-4/0/0.0          0.600     0.200      3
  Client ISIS L2, TX interval 0.200, RX interval 0.200, multiplier 3, Authenticate 
        keychain bfd-isis, algo keyed-sha-1, mode strict   
  Session up time 00:04:42
 Local diagnostic None, remote diagnostic NbrSignal
 Remote state Up, version 1
 Replicated 
 Min async interval 0.300, min slow interval 1.000
 Adaptive async TX interval 0.300, RX interval 0.300
 Local min TX interval 0.300, minimum RX interval 0.300, multiplier 3
 Remote min TX interval 0.300, min RX interval 0.300, multiplier 3
 Local discriminator 2, remote discriminator 2
 Echo mode disabled/inactive
 Authentication enabled/active, keychain bfd-isis, algo keyed-sha-1, mode strict  

1 sessions, 1 clients

Cumulative transmit rate 10.0 pps, cumulative receive rate 10.0 pps

Example: Configuring BFD Authentication for IS-IS

This example shows how to configure BFD authentication for IS-IS.

• Requirements
• Overview
• Configuration
• Verification

Requirements

Before you begin, configure IS-IS on both routers. See Example: Configuring IS-IS for information about the required IS-IS configuration.

Overview

In this example, a BFD authentication keychain is configured with meticulous keyed MD5 authentication.

Figure 1 shows the topology used in this example.

Figure 1: IS-IS BFD Authentication Topology

CLI Quick Configuration shows the configuration for both of the devices in Figure 1. The section Step-by-Step Procedure describes the steps on Device R1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Configure the authentication keychain.
   [edit security authentication-key-chains key-chain secret123]user@R1# set description for-isis-bfduser@R1# set key 1 secret "$9$cW-yrv"user@R1# set key 1 start-time "2012-5-31.13:00:00 -0700"user@R1# set key 2 secret "$9$m5T3"user@R1# set key 2 start-time "2013-5-31.13:00:00 -0700"user@R1# set key 3 secret "$9$mTQn"user@R1# set key 3 start-time "2014-5-31.13:00:00 -0700"
2. Enable BFD.
   [edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection]user@R1# set minimum-interval 100
3. Apply the authentication keychain.
   [edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection]user@R1# set authentication key-chain secret123
4. Set the authentication type.
   [edit protocols isis interface ge-1/2/0.0 bfd-liveness-detection]user@R1# set authentication algorithm meticulous-keyed-md5

Results

From configuration mode, confirm your configuration by entering the show protocols and show security commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying IS-IS BFD Authentication

Purpose

Verify the status of IS-IS BFD authentication.

Action

From operational mode, enter the show bfd session extensive command.

                                                  Detect   Transmit
Address                  State     Interface      Time     Interval  Multiplier
10.0.0.2                 Down      ge-1/2/0.0     0.300     1.000        3   
 Client ISIS L1, TX interval 0.100, RX interval 0.100, Authenticate 
        keychain secret123, algo meticulous-keyed-md5, mode strict
 Client ISIS L2, TX interval 0.100, RX interval 0.100, Authenticate 
        keychain secret123, algo meticulous-keyed-md5, mode strict
 Session down time 00:35:13, previous up time 00:12:17
 Local diagnostic None, remote diagnostic None
 Remote state Up, version 1
 Logical system 2, routing table index 85
 Min async interval 0.100, min slow interval 1.000
 Adaptive async TX interval 0.100, RX interval 0.100
 Local min TX interval 1.000, minimum RX interval 0.100, multiplier 3
 Remote min TX interval 0.100, min RX interval 0.100, multiplier 3
 Local discriminator 2, remote discriminator 1
 Echo mode disabled/inactive, no-absorb, no-refresh
 Authentication enabled/active, keychain secret123, algo meticulous-keyed-md5, mode strict
  Session ID: 0x100101

1 sessions, 2 clients
Cumulative transmit rate 1.0 pps, cumulative receive rate 10.0 pps

Meaning

The output shows that BFD authentication is enabled on IS-IS Level 1 and Level 2.