2 configuring simple routing policies, Configuring simple routing policies -7 – Riverstone Networks WICT1-12 User Manual

Riverstone Networks RS Switch Router User Guide Release 8.0 18-7

Routing Policy Configuration

Configuring Simple Routing Policies

Authentication Methods

There are two main authentication methods:

Simple Password

In this method, an authentication key of up to 8 characters is included in the packet. If this does
not match what is expected, the packet is discarded. This method provides little security, as it is
possible to learn the authentication key by watching the protocol packets.

MD5

This method uses the MD5 algorithm to create a crypto-checksum of the protocol packet and an
authentication key of up to 16 characters. The transmitted packet does not contain the
authentication key itself; instead, it contains a crypto-checksum, called the digest. The receiving
router performs a calculation using the correct authentication key and discard the packet if the
digest does not match. In addition, a sequence number is maintained to prevent the replay of
older packets. This method provides a much stronger assurance that routing data originated
from a router with a valid authentication key.

Many protocols allow the specification of two authentication keys per interface. Packets are always sent using the
primary keys, but received packets are checked with both the primary and secondary keys before being discarded.

Authentication Keys and Key Management

An authentication key permits the generation and verification of the authentication field in protocol packets. In many
situations, the same primary and secondary keys are used on several interfaces of a router. To make key management
easier, the concept of a key-chain was introduced. Each key-chain has an identifier and can contain up to two keys.
One key is the primary key and other is the secondary key. Outgoing packets use the primary authentication key, but
incoming packets may match either the primary or secondary authentication key. In Configure mode, instead of
specifying the key for each interface (which can be up to 16 characters long), you can specify a key-chain identifier.

The RS supports MD5 specification of OSPF RFC 2178 which uses the MD5 algorithm and an authentication key of
up to 16 characters. Thus there are now three authentication schemes available per interface: none, simple and RFC
2178 OSPF MD5 authentication. It is possible to configure different authentication schemes on different interfaces.

RFC 2178 allows multiple MD5 keys per interface. Each key has two times associated with the key:

•

A time period that the key will be generated

•

A time period that the key will be accepted

The RS only allows one MD5 key per interface. Also, there are no options provided to specify the time period during
which the key would be generated and accepted; the specified MD5 key is always generated and accepted. Both these
limitations would be removed in a future release.

18.2 CONFIGURING SIMPLE ROUTING POLICIES

Simple routing policies provide an efficient way for routing information to be exchanged between routing protocols.
The

redistribute

command can be used to redistribute routes from one routing domain into another routing

domain. Redistribution of routes between routing domains is based on route policies. A route policy is a set of
conditions based on which routes are redistributed. While the

redistribute

command may fulfill the export policy

requirement for most users, complex export policies may require the use of the commands listed under Export Policies.