The authentication key-chain all command enables keychain authentication in a batch for all LDP peers.
The undo authentication key-chain all command disables keychain authentication in a batch for all LDP peers.
By default, keychain authentication in a batch is disabled for all LDP peers. LDP keychain authentication is recommended to ensure security.
| Parameter | Description | Value |
|---|---|---|
| name keychain-name | Specifies a keychain name. The keychain name is configured using the keychain command. |
The value is a string of 1 to 47 case-insensitive characters. The string does not contain question marks or spaces. The string can contain spaces if it is enclosed with double quotation marks ("). |
Usage Scenario
To improve LDP session security, keychain authentication can be configured for a TCP connection over which an LDP session has been established. If a great number of LDP peers are configured, run the authentication key-chain all command to enable keychain authentication in a batch for all LDP peers.
Prerequisites
A keychain has been configured using the keychain command.
Precautions
LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain authentication and MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1. Keychain authentication takes effect on other peers.
Configuring LDP keychain authentication causes the reestablishment of LDP sessions.
After the authentication key-chain all command is run, the referenced keychain is applied to all LDP peers. If keychain authentication fails, an LDP session fails to be established.
# Configure LDP keychain authentication for all LDP peers and use the keychain named kc1.
<HUAWEI> system-view [HUAWEI] keychain kc1 mode absolute [HUAWEI-keychain-kc1] key-id 1 [HUAWEI-keychain-kc1-keyid-1] algorithm sha-256 [HUAWEI-keychain-kc1-keyid-1] key-string abcDEF-13579 [HUAWEI-keychain-kc1-keyid-1] send-time 14:30 2016-10-10 to 14:50 2016-10-10 [HUAWEI-keychain-kc1-keyid-1] receive-time 14:40 2016-10-10 to 14:50 2016-10-10 [HUAWEI-keychain-kc1-keyid-1] default send-key-id [HUAWEI-keychain-kc1-keyid-1] quit [HUAWEI-keychain-kc1] quit [HUAWEI] mpls ldp [HUAWEI-mpls-ldp] authentication key-chain all name kc1