How MSDP MD5 Password Authentication Works
Developed in accordance with RFC 2385, the MSDP MD5 password authentication feature is used to verify
each segment sent on the TCP connection between MSDP peers. The ip msdp password peer command is
used to enable MD5 authentication for TCP connections between two MSDP peers. When MD5 authentication
is enabled between two MSDP peers, each segment sent on the TCP connection between the peers is verified.
MD5 authentication must be configured with the same password on both MSDP peers; otherwise, the connection
between them will not be made. Configuring MD5 authentication causes the Cisco IOS software to generate
and verify the MD5 digest of every segment sent on the TCP connection.
Benefits of MSDP MD5 Password Authentication
•
Protects MSDP against the threat of spoofed TCP segments being introduced into the TCP connection
stream.
•
Uses the industry-standard MD5 algorithm for improved reliability and security.
SA Message Limits
The ip msdp sa-limit command is used to limit the overall number of SA messages that a device can accept
from specified MSDP peers. When the ip msdp sa-limit command is configured, the device maintains a
per-peer count of SA messages stored in the SA cache and will ignore new messages from a peer if the
configured SA message limit for that peer has been reached.
The ip msdp sa-limit command was introduced as a means to protect an MSDP-enabled device from denial
of service (DoS) attacks. We recommended that you configure SA message limits for all MSDP peerings on
the device. An appropriately low SA limit should be configured on peerings with a stub MSDP region (for
example, a peer that may have some further downstream peers but that will not act as a transit for SA messages
across the rest of the Internet). A high SA limit should be configured for all MSDP peerings that act as transits
for SA messages across the Internet.
MSDP Keepalive and Hold-Time Intervals
The ip msdp keepalive command is used to adjust the interval at which an MSDP peer will send keepalive
messages and the interval at which the MSDP peer will wait for keepalive messages from other peers before
declaring them down.
Once an MSDP peering session is established, each side of the connection sends a keepalive message and
sets a keepalive timer. If the keepalive timer expires, the local MSDP peer sends a keepalive message and
restarts its keepalive timer; this interval is referred to as the keepalive interval. The keepalive-intervalargument
is used to adjust the interval for which keepalive messages will be sent. The keepalive timer is set to the value
specified for the keepalive-intervalargument when the peer comes up. The keepalive timer is reset to the value
of the keepalive-interval argument whenever an MSDP keepalive message is sent to the peer and reset when
the timer expires. The keepalive timer is deleted when an MSDP peering session is closed. By default, the
keepalive timer is set to 60 seconds.
IP Multicast Routing Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3650 Switches)
178 OL-29890-01
Configuring MSDP
SA Message Limits
To Next Page
Loading...
Need help?
General