4000 Router Series MPLS Command Reference

RSVP commands

authentication challenge

Use authentication challenge to enable the RSVP challenge-response handshake function globally or for

a specific RSVP neighbor.

Use undo authentication challenge to disable the challenge-response handshake function globally or for

a specific RSVP neighbor.

Syntax

authentication challenge

undo authentication challenge

Default

The RSVP challenge-response handshake function is disabled.

Views

RSVP view, RSVP neighbor view

Predefined user roles

network-admin

Usage guidelines

To prevent packet replay attacks, RSVP requires received authentication messages to carry incremental

sequence numbers. To verify the subsequent messages, RSVP saves the sequence number of the last valid

message in a receive-type security association.

However, when RSVP creates a new receive-type security association, it cannot obtain the sequence

number of the sender. To successfully establish the receive-type security association, RSVP sets the receive

sequence number to 0 by default, so the association can receive a message with any sequence number

from the peer. Because this introduces a vulnerability to replay attacks, you should execute the

authentication challenge command. When RSVP creates a receive-type security association, it will

perform a challenge-response handshake to obtain the sequence number of the sender.

RSVP challenge-response handshake can be configured in the following views:

• RSVP view—Configuration in this view applies to all RSVP messages.

• RSVP neighbor view—Configuration in this view applies only to RSVP messages received from and

sent to the specified neighbor.

• Interface view—Configuration in this view applies only to RSVP messages received and sent by the

interface.

Examples

# Enable RSVP challenge-response handshake globally.

<Sysname> system-view

[Sysname] rsvp

[Sysname-rsvp] authentication challenge

# Enable challenge-response handshake for RSVP neighbor 1.1.1.9.