The 7705 SAR supports non-keychain MD5 authentication for OSPF, IS-IS, and RSVP-TE and TCP MD5 authentication for BGP and LDP. In previous releases, only a single authentication key or pre-hashed MD5 digest could be defined at a time using the authentication-key command. If this key was changed, the adjacency was reset, causing both the local and remote router to reconverge based on the lost adjacency. When a new key or digest was added, the adjacency was re-established, causing another reconvergence event within the network.
The 7705 SAR also supports the TCP Enhanced Authentication Option, as specified in draft-bonica-tcpauth-05.txt, Authentication for TCP-based Routing and Management Protocols. The TCP Enhanced Authentication option is a TCP extension that enhances security for BGP, LDP, and other TCP-based protocols. It extends the MD5 authentication option to include the ability to change keys in a BGP or LDP session seamlessly without tearing down the session, and allows for stronger authentication algorithms to be used. It is intended for applications where secure administrative access to both endpoints of the TCP connection is normally available.
TCP peers can use this extension to authenticate messages passed between one another. This strategy improves upon the practice described in RFC 2385, Protection of BGP Sessions via the TCP MD5 Signature Option. Using this new strategy, TCP peers can update authentication keys during the lifetime of a TCP connection. TCP peers can also use stronger authentication algorithms to authenticate routing messages.