It is possible to associate an HMAC key ID to an SRH through the hmac KEYID
keyword in the iproute command. The KEYID
is an integer value ranging from 1 to 255. When mapped to a secret password, an HMAC is computed over the SRH to ensure the authenticity and integrity of an SRH. Consider that you have set up a route with an HMAC key ID of 42. In order to associate this key with a password, do this:
# ip sr hmac set 42
You will be prompted for password. You can display all the mappings with the following command:
# ip sr hmac show
Note that the password must be configured on each node that will process the HMAC-enabled packet.
The behavior with respect to HMAC can be configured through a per-interface sysctl variable seg6_require_hmac
. The following values are possible:
-1
: accept all SR packets, with or without a valid HMAC (typically set on core routers)
0
: accept SR packets without HMAC or with a valid HMAC
1
: accept only SR packets with a valid HMAC (typically set on edge routers)