SR-IPv6 - Linux Kernel implementation


Segment Routing

Implementation

Testing

Development

References

edit SideBar

ConfigureSecurityFeatures

Filed in: Implementation.ConfigureSecurityFeatures · Modified on : Wed, 02 Mar 16

HMAC keys

It is possible to associate an HMAC key ID to an SRH through the hmac KEYID keyword in the iproute command. The KEYID is an integer value ranging from 1 to 255. When mapped to a secret password, an HMAC is computed over the SRH to ensure the authenticity and integrity of an SRH. Consider that you have set up a route with an HMAC key ID of 42. In order to associate this key with a password, do this:

# ip sr hmac set 42

You will be prompted for password. You can display all the mappings with the following command:

# ip sr hmac show

Note that the password must be configured on each node that will process the HMAC-enabled packet.

Per-interface HMAC policy

The behavior with respect to HMAC can be configured through a per-interface sysctl variable seg6_require_hmac. The following values are possible:

  • -1: accept all SR packets, with or without a valid HMAC (typically set on core routers)
  • 0: accept SR packets without HMAC or with a valid HMAC
  • 1: accept only SR packets with a valid HMAC (typically set on edge routers)


Powered by PmWiki