BFD Session Authentication¶
TNSR supports authentication for BFD sessions. When authentication is enabled, a secret key is used to create a hash of the outgoing packets. The key itself is not sent in the packets, only the hash and the ID of the key. A sequence number is used to help avoid replay attacks.
The receiving peer will check for a key matching the given ID and then compare a hash of the BFD payload against the hash sent by the peer. If it matches and the sequence number is valid, the packet is accepted.
Define BFD Keys¶
Before a BFD key can be used in a session, it must be defined in the
configuration. This is done from config
mode using the following command:
- bfd conf-key-id <conf-key-id>:
Defines an internal configuration key identifier and starts configuration of the key. This identifier is an unsigned 32-bit integer for an internal unique key in TNSR.
This command enters
config-bfd-key
mode.Note
Neither the key itself nor this ID are ever communicated to peers.
The following commands are available in config-bfd-key
mode:
- authentication type (keyed-sha1|meticulous-keyed-sha1):
Configures the type of authentication TNSR will use with this key. Both available types are based on SHA1, the difference is in how sequence numbers are handled.
- keyed-sha1:
The sequence number for the session is incremented occasionally.
- meticulous-keyed-sha1:
The sequence number for the session is incremented with every packet.
- secret < (<hex-pair>)[1-20] >:
The secret component of this key. Specified as a group of 1 to 20 hex pair values, such as
4a40369b4df32ed0652b548400
. This value must be generated outside of TNSR.
To define a new configuration key ID:
tnsr(config)# bfd conf-key-id <conf-key-id>
tnsr(config-bfd-key)# authentication type (keyed-sha1|meticulous-keyed-sha1)
tnsr(config-bfd-key)# secret < (<hex-pair>)[1-20] >
For example:
tnsr(config)# bfd conf-key-id 123456789
tnsr(config-bfd-key)# authentication type meticulous-keyed-sha1
tnsr(config-bfd-key)# secret 4a40369b4df32ed0652b548400
Setup BFD Authentication¶
Configure Session BFD Keys¶
There are two keys defined for each BFD session, the internal configuration key
defined in Define BFD Keys and the public key identifier sent to the
peer. These values are set within config-bfd
mode.
- conf-key-id <conf-key-id>:
Tells BFD which internal configuration key to use with this session. Keys are created as described in the previous section, Define BFD Keys.
- bfd-key-id <bfd-key-id>:
The public BFD key ID. An unsigned 8-bit integer (
0-255
) which is the key ID carried in BFD packets, used by the peers to verify authentication.
Warning
Both conf-key-id
and bfd-key-id
must be specified, or neither can be
present.
Authentication will only be active if both bfd-key-id
and conf-key-id
are defined for a BFD session.
Delayed Session Authentication¶
An additional delayed
keyword is also supported for BFD session which tells
BFD to hold off any authentication action when receiving BFD messages until a
peer attempts to authenticate or uses new credentials.
Warning
Only one host can have the delayed
option enabled, otherwise
credentials will never update as both peers will be waiting on the other one
to act first.
Warning
BFD implementations vary, so authentication changes may disrupt live BFD
sessions. The best practice to avoiding disruption when operating with third
party BFD implementations is to set delayed
on the TNSR side.
When adding authentication to an existing BFD session or changing active
authentication settings, make the changes first on the node with delayed
set then configure the peer to match.
Example¶
To activate authentication, add the chosen identifiers to a BFD session:
tnsr(config)# bfd session <bfd-session>
tnsr(config-bfd)# bfd-key-id <bfd-key-id>
tnsr(config-bfd)# conf-key-id <conf-key-id>
tnsr(config-bfd)# delayed (true|false)
tnsr(config-bfd)# exit
For example:
tnsr(config)# bfd session otherrouter
tnsr(config-bfd)# bfd-key-id 123
tnsr(config-bfd)# conf-key-id 123456789
tnsr(config-bfd)# delayed false
tnsr(config-bfd)# exit
View BFD Keys¶
To view a list of keys and their types, use the show bfd keys
command:
tnsr# show bfd keys
Conf Key Type Use Count
--------- --------------------- ----------
123456789 meticulous-keyed-sha1 1
234567890 keyed-sha1 0
To view only one specific key, pass its ID to the same command:
tnsr# show bfd keys conf-key-id 123456789
Conf Key Type Use Count
--------- --------------------- ----------
123456789 meticulous-keyed-sha1 1