OcNOS-RON : Layer 3 Guide : Bidirectional Forwarding Detection Configuration Guide : BFD Authentication
BFD Authentication
This chapter provides BFD authentication configuration examples.
Overview
Bidirectional Forwarding Detection (BFD) is a protocol intended to detect faults in the bidirectional path between two forwarding engines, including physical interfaces, sub-interfaces, and data link. It operates independently of media, data protocols, and routing protocols. A session will be created between links. When BFD links is hacked, the link may be falsely declared to be down, or falsely declared to be up. To overcome this type of situations, need to use authentication on BFD. Using this we can mitigate threats from attackers.
OcNOS supports the following authentication types:
Simple password
Meticulous-Keyed-SHA1
Keyed-SHA1
Among these types, Meticulous-Keyed-SHA1 is the strongest one.
Authentication is optionally enabled on BFD sessions. By default, it is disabled and is configurable via CLI. When authentication is enabled, BFD packets will exchange with authentication section (based on the configured auth type). Receiving system will examine the authentication section of the packet; if it is successful then it will accept. Otherwise, it will discard.
Enabling BFD Authentication for Multihop for IPv4, Using Key-ID
In this example, the BFD Multihop session is configured between R1 and R3 using single key (using key-ID). Once the BFD session is up, the authentication is enabled on both the routers, with the authentication type as Keyed-SHA1. We can enable the authentication on BFD session using any one of the above mentioned authentication type, with the Identical authentication type on both side.
Note: BFD authentication is not supported for Single hop BFD session.
Topology
Basic Topology of Three Routers
Router 1 (R1)
 
R1#configure terminal
Enter the Configure mode.
R1(config)#interface lo
Enter the Loopback Interface configuration mode.
R1(config-if)#ip address 1.1.1.1/32 secondary
Assign IP address for interface
R1(config-if)#commit
Commit the candidate configuration to the running configuration.
R1(config-if)#exit
Exit from interface mode.
R1(config)#interface xe9
Enter Interface Mode.
R1(config-if)#ip address 10.1.1.1/24
Assign IP address for interface
R1(config-if)#bfd session 10.1.1.1 20.1.1.2 multihop
Enabling BFD Multihop session
R1(config-if)#commit
Commit the candidate configuration to the running configuration.
R1(config-if)#exit
Exit from interface mode.
R1(config)#router ospf 1
Enter router OSPF mode
R1(config-router)#redistribute connected
 
R1(config-router)#network 10.1.1.0/24 area 0
Advertise the network to area 0
R1(config-if)#commit
Commit the candidate configuration to the running configuration.
R1(config-router)#exit
Exit router OSPF mode
R1(config)#bfd multihop-peer 20.1.1.2 auth type keyed-sha1 key-id 2 0 key ocnos
Enabling Authentication for Multihop session
Router 2 (R2)
 
R2#configure terminal
Enter the Configure mode.
R2(config)#interface lo
Enter the Loopback Interface configuration mode.
R2(config-if)#ip address 2.2.2.2/32 secondary
Assign IP address for interface
R2(config-if)#commit
Commit the candidate configuration to the running configuration.
R2(config-if)#exit
Exit from interface mode.
R2(config)#interface xe9
Enter Interface Mode.
R2(config-if)#ip address 10.1.1.2/24
Assign IP address for interface
R2(config-if)#exit
Exit from interface mode.
R2(config)#interface xe2
Enter Interface Mode.
R2(config-if)#ip address 20.1.1.1/24
Assign IP address for interface
R2(config-if)#commit
Commit the candidate configuration to the running configuration.
R2(config-if)#exit
Exit from interface mode.
R2(config)#router ospf 1
Enter router OSPF mode
R2(config-router)#redistribute connected
 
R2(config-router)#network 10.1.1.0/24 area 0
Advertise the network to area 0
R2(config-router)#network 20.1.1.0/24 area 0
Advertise the network to area 0
R2(config-router)#commit
Commit the candidate configuration to the running configuration.
R2(config-router)#exit
Exit router OSPF mode
Router 3 (R3)
 
R3#configure terminal
Enter the Configure mode.
R3(config)#interface lo
Enter the Loopback Interface configuration mode.
R3(config-if)#ip address 3.3.3.3/32 secondary
Assign IP address for interface
R3(config-if)#commit
Commit the candidate configuration to the running configuration.
R3(config-if)#exit
Exit from interface mode.
R3(config)#interface xe2
Enter Interface Mode.
R3(config-if)#ip address 20.1.1.2/24
Assign IP address for interface
R3(config-if)#bfd session 20.1.1.2 10.1.1.1 multihop
Enabling BFD Multihop session
R3(config-if)#commit
Commit the candidate configuration to the running configuration.
R3(config-if)#exit
Exit from interface mode.
R3(config)#router ospf 1
Enter router OSPF mode
R3(config-router)#redistribute connected
 
R3(config-router)#network 20.1.1.0/24 area 0
Advertise the network to area 0
R3(config-router)#exit
Exit router OSPF mode
R3(config)#bfd multihop-peer 10.1.1.1 auth type keyed-sha1 key-id 2 0 key ocnos
Enabling Authentication for Multihop session
R3(config)#commit
Commit the candidate configuration to the running configuration.
Validation
Check Multihop session is up between R1 and R3 with authentication type configured.
R1#show ip ospf neighbor
 
Total number of full neighbors: 1
OSPF process 1 VRF(default):
Neighbor ID Pri State Dead Time Address Interface Instance ID
2.2.2.2 1 Full/DR 00:00:33 10.1.1.2 xe9 0
 
R1#sh bfd session
 
BFD process for VRF: (DEFAULT VRF)
=====================================================================================
Sess-Idx Remote-Disc Lower-Layer Sess-Type Sess-State UP-Time Interface Down-Reason Remote-Addr
1001 1001 IPv4 Multi-Hop Up 00:34:32 NA NA 20.1.1.2/32
Number of Sessions: 1
 
R1#sh bfd session detail
 
BFD process for VRF: (DEFAULT VRF)
====================================================================================
 
Session Interface Index : 0 Session Index : 1001
Lower Layer : IPv4 Version : 1
Session Type : Multihop Arbit Path Session State : Up
Local Discriminator : 1001 Local Address : 10.1.1.1/32
Remote Discriminator : 1001 Remote Address : 20.1.1.2/32
Local Port : 49152 Remote Port : 4784
Options :
 
Diagnostics : None
 
Timers in Milliseconds :
Min Tx: 250 Min Rx: 250 Multiplier: 3
Neg Tx: 250 Neg Rx: 250 Neg detect mult: 3
Min echo Tx: 1000 Min echo Rx: 1000 Neg echo intrvl: 0
Storage type : 2
Sess down time : 00:00:00
Sess Down Reason : NA
Bfd GTSM Disabled
Bfd Authentication Enabled
Authentication type : keyed-sha1
Authentication Key-id : 2
 
Counters values:
Pkt In : 00000000000000027907 Pkt Out : 00000000000000028347
Pkts Drop : 00000000000000000000 Auth Pkts Drop : 00000000000000000000
Echo Out : 00000000000000000000 IPv6 Echo Out : 00000000000000000000
IPv6 Pkt In : 00000000000000000000 IPv6 Pkt Out : 00000000000000000000
UP Count : 12 UPTIME : 00:34:34
 
Protocol Client Info:
BFD-> Client ID: 28 Flags: 4
----------------------------------------------------------
Number of Sessions: 1
 
R3#show ip ospf neighbor
 
Total number of full neighbors: 1
OSPF process 1 VRF(default):
Neighbor ID Pri State Dead Time Address Interface Instance ID
2.2.2.2 1 Full/Backup 00:00:32 20.1.1.1 xe2 0
 
R3#sh bfd session
 
BFD process for VRF: (DEFAULT VRF)
=====================================================================================
Sess-Idx Remote-Disc Lower-Layer Sess-Type Sess-State UP-Time Interface Down-Reason Remote-Addr
1001 1001 IPv4 Multi-Hop Up 00:36:27 NA NA 10.1.1.1/32
Number of Sessions: 1
R3#sh bfd session detail
 
BFD process for VRF: (DEFAULT VRF)
====================================================================================
 
Session Interface Index : 0 Session Index : 1001
Lower Layer : IPv4 Version : 1
Session Type : Multihop Arbit Path Session State : Up
Local Discriminator : 1001 Local Address : 20.1.1.2/32
Remote Discriminator : 1001 Remote Address : 10.1.1.1/32
Local Port : 49152 Remote Port : 4784
Options :
 
Diagnostics : None
 
Timers in Milliseconds :
Min Tx: 250 Min Rx: 250 Multiplier: 3
Neg Tx: 250 Neg Rx: 250 Neg detect mult: 3
Min echo Tx: 1000 Min echo Rx: 1000 Neg echo intrvl: 0
Storage type : 2
Sess down time : 00:00:00
Sess Down Reason : NA
Bfd GTSM Disabled
Bfd Authentication Enabled
Authentication type : keyed-sha1
Authentication Key-id : 2
 
Counters values:
Pkt In : 00000000000000028428 Pkt Out : 00000000000000028715
Pkts Drop : 00000000000000000000 Auth Pkts Drop : 00000000000000000000
Echo Out : 00000000000000000000 IPv6 Echo Out : 00000000000000000000
IPv6 Pkt In : 00000000000000000000 IPv6 Pkt Out : 00000000000000000000
UP Count : 12 UPTIME : 00:36:29
 
Protocol Client Info:
BFD-> Client ID: 28 Flags: 4
----------------------------------------------------------
Number of Sessions: 1