authentication challenge
Use authentication challenge to enable the RSVP challenge-response handshake feature globally or for an RSVP neighbor.
Use undo authentication challenge to disable the challenge-response handshake feature globally or for an RSVP neighbor.
Syntax
authentication challenge
undo authentication challenge
Default
The RSVP challenge-response handshake feature is disabled.
Views
RSVP view
RSVP neighbor view
Predefined user roles
network-admin
Usage guidelines
To prevent packet replay attacks, RSVP requires received authentication messages to carry incremental sequence numbers. To verify the subsequent messages, RSVP saves the sequence number of the last valid message in a receive-type security association.
However, when RSVP creates a new receive-type security association, it cannot obtain the sequence number of the sender. To successfully establish the receive-type security association, RSVP sets the receive sequence number to 0 by default. Then, the association can receive a message with any sequence number from the peer. Because this introduces a vulnerability to replay attacks, you should execute the authentication challenge command. When RSVP creates a receive-type security association, it will perform a challenge-response handshake to obtain the sequence number of the sender.
RSVP challenge-response handshake can be configured in the following views:
RSVP view—Configuration applies to all RSVP security associations.
RSVP neighbor view—Configuration applies only to RSVP security associations with the specified neighbor.
Interface view—Configuration applies only to RSVP security associations established on the current interface.
The execution of this command affects only security associations established after the execution. To apply the setting to existing security associations, you must execute the reset rsvp authentication command to delete and then re-establish the security associations.
Examples
# Enable RSVP challenge-response handshake globally.
<Sysname> system-view [Sysname] rsvp [Sysname-rsvp] authentication challenge
# Enable challenge-response handshake for RSVP neighbor 1.1.1.9.
<Sysname> system-view [Sysname] rsvp [Sysname-rsvp] peer 1.1.1.9 [Sysname-rsvp-peer-1.1.1.9] authentication challenge
Related commands
authentication key
authentication lifetime
authentication window-size
display rsvp authentication
reset rsvp authentication
rsvp authentication challenge
rsvp authentication key
rsvp authentication lifetime
rsvp authentication window-size