Troubleshooting guide
4 — TCP enhanced authentication
4-2 Alcatel-Lucent 5620 Service Aware Manager
5620 SAM
System Administrator Guide
4.1 TCP enhanced authentication overview
This chapter describes the 5620 SAM support of TCP enhanced authentication for
NEs based on the MD5 encryption mechanism described in RFC2385. 5620 SAM
TCP enhanced authentication allows the use of powerful algorithms for
authenticating routing messages.
The 5620 SAM uses a TCP extension to enhance BGP and LDP security. TCP
enhanced authentication is used for applications that require secure administrative
access at both ends of a TCP connection. TCP peers update authentication keys
during the lifetime of a connection.
A 5620 SAM operator with administrative privileges can create, delete, modify, and
distribute TCP enhanced authentication components, and can perform an audit of a
local key chain to compare it with the associated global key chain or other local key
chains. The 5620 SAM TCP enhanced authentication components are called keys
and key chains.
Global key chains are created in Draft mode. This allows operators to verify that the
key chain is correctly configured before they distribute it to the network elements.
When the key chain is approved for distribution, you can change the global key chain
to Released mode, which also distributes the key chain to existing local definitions.
The 5620 SAM saves the latest released version of the global key chain.
TCP keys and key chains
A key is a data structure that is used to authenticate TCP segments. One or more keys
can be associated with a TCP connection. Each key contains an identifier, a shared
secret, an algorithm identifier, and information that specifies when the key is valid
for authenticating the inbound and outbound segments.
A key chain is a list of up to 64 keys that is associated with a TCP connection. Each
key within a key chain contains an identifier that is unique within the key chain. You
can use the 5620 SAM to distribute a global key chain to multiple NEs and assign a
key to multiple BGP or LDP instances.
The 5620 SAM treats global and local key chain management as it does policy
management; depending on the distribution mode configuration of a local key chain,
when you modify a global key chain using the 5620 SAM, all local instances can be
updated to ensure that all instances of the key chain in the network are synchronized.
See “Policies overview” in the 5620 SAM User Guide for information about global
and local policy instances, policy distribution and distribution modes, and local
policy audits.
Caution — Alcatel-Lucent recommends that you use only the
5620 SAM to create keys and key chains. Do not create a key or key
chain directly on a managed NE using another interface, for example,
a CLI. The 5620 SAM cannot obtain a TCP key secret value from an
NE during resynchronization, so it cannot specify the key for use on
another NE.
If a local NE key chain and the associated global 5620 SAM key chain
differ after a resynchronization, the 5620 SAM generates an alarm.
Release 12.0 R6 | November 2014 | 3HE 08861 AAAF TQZZA Edition 01