The authentication key-chain command enables Label Distribution Protocol (LDP) keychain authentication.
The undo authentication key-chain command disables Label Distribution Protocol (LDP) keychain authentication.
By default, LDP keychain authentication is disabled.
authentication key-chain peer peer-id name keychain-name
undo authentication key-chain peer peer-id
| Parameter | Description | Value |
|---|---|---|
| peer peer-id | Specifies the ID of an LDP peer enabled with LDP keychain. The parameter is specified in the mpls lsr-id command. | The value is in dotted decimal notation. |
| name keychain-name | Specifies the keychain name. The keychain name is specified in the keychain command. | The value is an existing keychain name. |
Usage Scenario
Information spoofing may occur during an LDP session. To enhance security of an LDP session, configure keychain authentication for a TCP connection over which an LDP session is created.
During keychain authentication, a group of passwords are defined to form a password string, and each password is specified with the encryption and decryption algorithms such as MD5 and SHA-1, and is configured with a validity period. When sending or receiving a packet, the system selects a valid password based on the user's configuration. Within the password validity period, the system either uses the encryption algorithm matching the password to encrypt the packet before sending it or uses the decryption algorithm matching the password to decrypt the packet before receiving it. In addition, the system automatically uses a new password after the previous one expires, preventing the password from being decrypted.
The keychain authentication password, the encryption and decryption algorithms, and password validity period that construct a keychain configuration node are configured using different commands. A keychain configuration node requires at least one password along with encryption and decryption algorithms.
To reference a keychain configuration node, specify the required peer and the node name in the MPLS-LDP view. In this manner, an LDP session is encrypted. Different peers can reference the same keychain configuration node.
Keychain authentication involves a set of passwords. It uses a new password when the previous one expires. Keychain authentication is complex to configure and is therefore recommended only for networks requiring high security.
Prerequisites
You have performed the following operations:Enable MPLS LDP globally using the mpls ldp (system view) command.
Configure keychain authentication globally using the keychain command.
Precautions
MD5 authentication and keychain authentication cannot be configured together on one peer.
Configuring LDP keychain authentication leads to reestablishment of an LDP session and deletes the Label Switched Path (LSP) associated with the LDP session.