authentication challenge

Use authentication challenge to enable the RSVP challenge-response handshake feature globally or for an RSVP neighbor.

Use undo authentication challenge to disable the challenge-response handshake feature globally or for an RSVP neighbor.

Syntax

authentication challenge

undo authentication challenge

Default

The RSVP challenge-response handshake feature is disabled.

Views

RSVP view

RSVP neighbor view

Predefined user roles

network-admin

Usage guidelines

To prevent packet replay attacks, RSVP requires received authentication messages to carry incremental sequence numbers. To verify the subsequent messages, RSVP saves the sequence number of the last valid message in a receive-type security association.

However, when RSVP creates a new receive-type security association, it cannot obtain the sequence number of the sender. To successfully establish the receive-type security association, RSVP sets the receive sequence number to 0 by default. Then, the association can receive a message with any sequence number from the peer. Because this introduces a vulnerability to replay attacks, you should execute the authentication challenge command. When RSVP creates a receive-type security association, it will perform a challenge-response handshake to obtain the sequence number of the sender.

RSVP challenge-response handshake can be configured in the following views:

The execution of this command affects only security associations established after the execution. To apply the setting to existing security associations, you must execute the reset rsvp authentication command to delete and then re-establish the security associations.

Examples

# Enable RSVP challenge-response handshake globally.

<Sysname> system-view
[Sysname] rsvp
[Sysname-rsvp] authentication challenge

# Enable challenge-response handshake for RSVP neighbor 1.1.1.9.

<Sysname> system-view
[Sysname] rsvp
[Sysname-rsvp] peer 1.1.1.9
[Sysname-rsvp-peer-1.1.1.9] authentication challenge

Related commands

authentication key

authentication lifetime

authentication window-size

display rsvp authentication

reset rsvp authentication

rsvp authentication challenge

rsvp authentication key

rsvp authentication lifetime

rsvp authentication window-size