R0106-HP MSR Router Series MPLS Command Reference(V7)
152
RSVP commands
authentication challenge
Use authentication challenge to enable the RSVP challenge-response handshake function globally or for
a specific RSVP neighbor.
Use undo authentication challenge to disable the challenge-response handshake function globally or for
a specific RSVP neighbor.
Syntax
authentication challenge
undo authentication challenge
Default
The RSVP challenge-response handshake function is disabled.
Views
RSVP view, RSVP neighbor view
Predefined user roles
network-admin
Usage guidelines
To prevent packet replay attacks, RSVP requires received authentication messages to carry incremental
sequence numbers. To verify the subsequent messages, RSVP saves the sequence number of the last valid
message in a receive-type security association.
However, when RSVP creates a new receive-type security association, it cannot obtain the sequence
number of the sender. To successfully establish the receive-type security association, RSVP sets the receive
sequence number to 0 by default, so the association can receive a message with any sequence number
from the peer. Because this introduces a vulnerability to replay attacks, you should execute the
authentication challenge command. When RSVP creates a receive-type security association, it will
perform a challenge-response handshake to obtain the sequence number of the sender.
RSVP challenge-response handshake can be configured in the following views:
• RSVP view—Configuration applies to all RSVP security associations.
• RSVP neighbor view—Configuration applies only to RSVP security associations with the specified
neighbor.
• Interface view—Configuration applies only to RSVP security associations established on the current
interface.
Examples
# Enable RSVP challenge-response handshake globally.
<Sysname> system-view
[Sysname] rsvp
[Sysname-rsvp] authentication challenge
# Enable challenge-response handshake for RSVP neighbor 1.1.1.9.