authentication window-size
Use authentication window-size in RSVP view to set the global RSVP authentication window size, which is the maximum number of authenticated RSVP messages that can be received out of sequence.
Use authentication window-size in RSVP neighbor view to set the RSVP authentication window size for an RSVP neighbor.
Use undo authentication window-size to restore the default.
Syntax
authentication window-size number
undo authentication window-size
Default
Only one authenticated RSVP message can be received out of sequence.
Views
RSVP view
RSVP neighbor view
Predefined user roles
network-admin
Parameters
number: Specifies the maximum number of authenticated RSVP messages that can be received out of sequence, in the range of 1 to 64.
Usage guidelines
To protect against replay attacks, the sender places a unique sequence number in each RSVP message that contains authentication information. The sender increases the value of the sequence number by one each time it sends an RSVP message. If the sequence number of a received message is in the specified authentication window size, the receiver accepts the message. If it is not in the specified authentication window size, the receiver discards the message.
When the receiver receives an RSVP message, it compares the sequence number of the last accepted RSVP message with the sequence number of the newly received RSVP message.
If the new sequence number is greater than the last sequence number, RSVP accepts the message and updates the last sequence number with the new sequence number.
If the new sequence number equals the last sequence number, RSVP regards the message a replay message and discards the message.
If the new sequence number is smaller than the last sequence number but greater than the last sequence number minus the window size, and has never been received before, RSVP accepts the message. If the new sequence number has been received before, RSVP regards the message a replay message and discards the message.
If the new sequence number is smaller than or equal to the last sequence number minus the window size, RSVP regards the message invalid and discards the message.
By default, the authentication window size is 1. If the sequence number of a newly received RSVP message is smaller than that of the last accepted message, the device discards the message. However, if the sender sends multiple RSVP messages in a short time, these messages might arrive at the neighbor out of sequence. If you use the default window size, the out-of-sequence messages will be discarded. To solve this problem, you can use the authentication window-size command to configure a correct window size.
A security association established by using the authentication key configured in a view uses the window size configured in that view.
A modification to the window size affects only security associations established after the modification. To apply the new setting to existing security associations, you must execute the reset rsvp authentication command to delete and then re-establish the security associations.
Examples
# In RSVP view, set the maximum number of out-of-sequence authenticated RSVP messages that can be received to 10.
<Sysname> system-view [Sysname] rsvp [Sysname-rsvp] authentication window-size 10
# In RSVP neighbor view, set the maximum number of out-of-sequence authenticated RSVP messages that can be received from RSVP neighbor 1.1.1.9 to 10.
<Sysname> system-view [Sysname] rsvp [Sysname-rsvp] peer 1.1.1.9 [Sysname-rsvp-peer-1.1.1.9] authentication window-size 10
Related commands
authentication challenge
authentication key
authentication lifetime
display rsvp authentication
reset rsvp authentication
rsvp authentication challenge
rsvp authentication key
rsvp authentication lifetime
rsvp authentication window-size