What is TCP enhanced authentication?

Overview
CAUTION 

CAUTION

Service Disruption

It is recommended that you use only the NFM-P to create keys and key chains. Do not create a key or key chain directly on a managed NE using another interface, for example, a CLI. The NFM-P cannot obtain a TCP key secret value from an NE during resynchronization, so it cannot specify the key for use on another NE.

If a local NE key chain and the associated global NFM-P key chain differ after a resynchronization, the NFM-P raises an alarm.

This topic describes the NFM-P support of TCP enhanced authentication for NEs, based on the MD5 encryption mechanism described in RFC 2385, and the TCP Authentication Option (TCP-AO) as defined in RFC 5925 and 5926. NFM-P TCP enhanced authentication allows the use of powerful algorithms for authenticating routing messages.

The NFM-P uses a TCP extension to enhance BGP and LDP security by verifying administrative access at each end of a TCP connection. TCP peers update authentication keys during the lifetime of a connection.

An NFM-P operator with administrative privileges can create, delete, modify, and distribute TCP enhanced authentication components, and can perform an audit of a local key chain to compare it with the associated global key chain or other local key chains. The NFM-P TCP enhanced authentication components are called keys and key chains.

Global key chains are created in Draft mode. This allows operators to verify that the key chain is correctly configured before distribution to NEs. When the key chain is approved for distribution, you can change the global key chain to Released mode, which also distributes the key chain to existing local definitions. The NFM-P saves the latest released version of the global key chain.

TCP keys and key chains

A key is a data structure that is used to authenticate TCP segments. One or more keys can be associated with a TCP connection. Each key contains an identifier, a shared secret, an algorithm identifier, and information that specifies when the key is valid for authenticating the inbound and outbound segments.

A key chain is a list of up to 64 keys that is associated with a TCP connection. Each key within a key chain contains an identifier that is unique within the key chain. You can use the NFM-P to distribute a global key chain to multiple NEs and assign a key to multiple BGP or LDP instances.

The NFM-P treats global and local key chain management as it does policy management; depending on the distribution mode configuration of a local key chain, when you modify a global key chain using the NFM-P, all local instances can be updated to ensure that all instances of the key chain in the network are synchronized. See “Policies overview” in the NSP NFM-P User Guide for information about global and local policy instances, policy distribution and distribution modes, and local policy audits.

When the NFM-P attempts to synchronize the keys in a global key chain with the keys on an NE, the NE does not return the secret key value. After a key chain is deployed to an NE, the shared secret and the encryption algorithm cannot be modified. You can delete a key chain or key only when it is not in use by a protocol.

You can specify whether an NE uses a TCP key for sending packets, receiving packets, or both. Using keys that are configured for both, or send-receive, is general good practice because communication between NEs cannot be affected by assigning the wrong key type.

There are two classes of TCP keys:

Active keys

A key set contains one active key. An active key is a key that TCP uses to generate authentication information for outbound segments. You cannot delete the active key in a keychain.

Eligible keys

Each set of keys, called a key chain, contains zero or more eligible keys. An eligible key is a key that TCP uses to authenticate inbound segments.