The authentication key-chain peer-group command enables keychain authentication in a batch for a specified LDP peer group.
The undo authentication key-chain peer-group command disables keychain authentication in a batch for a specified LDP peer group.
By default, keychain authentication in a batch is disabled for all peer groups. LDP keychain authentication is recommended to ensure security.
authentication key-chain peer-group ip-prefix-name name keychain-name
undo authentication key-chain peer-group
| Parameter | Description | Value |
|---|---|---|
| ip-prefix-name | Specifies the name of an IP prefix list. The IP prefix list name is configured using the ip ip-prefix command. |
The value is a string of 1 to 169 case-sensitive characters, spaces not supported. The string can contain spaces if it is enclosed with double quotation marks ("). |
| name keychain-name | Specifies a keychain name. The keychain name is configured using the keychain command. |
The value is a string of 1 to 47 case-insensitive characters. The string does not contain question marks or spaces. The string can contain spaces if it is enclosed with double quotation marks ("). |
Usage Scenario
To help improve LDP session security, keychain authentication can be configured for a TCP connection over which an LDP session has been established. If a great number of LDP peers are configured, run the authentication key-chain peer-group command to enable keychain authentication in a batch for LDP peers in a specified peer group. An IP prefix list can be specified to define the range of IP addresses in a group.
Prerequisites
The following steps have been performed:
An IP prefix list has been configured using the ip ip-prefix command.
A keychain has been configured using the keychain command.
Precautions
LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain authentication and MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1.
Configuring LDP keychain authentication causes the reestablishment of LDP sessions.
After the authentication key-chain peer-group command is run, the referenced Keychain authentication is applied to a specified peer. If keychain authentication fails, an LDP session fails to be established.
Before a peer group is referenced, create it. By default, a nonexistent peer group cannot be specified in this command. If the route-policy nonexistent-config-check disable command is run in the system view and a nonexistent peer group is specified in this command, a local device performs keychain authentication for each LDP session connected to each LDP peer.
# Enable LDP keychain authentication for LDP peers with IP addresses matching the IP prefix list named list1 in a specified peer group and use a keychain named kc1.
<HUAWEI> system-view [HUAWEI] keychain kc1 mode absolute [HUAWEI-keychain-kc1] key-id 1 [HUAWEI-keychain-kc1-keyid-1] algorithm sha-256 [HUAWEI-keychain-kc1-keyid-1] key-string abcDEF-13579 [HUAWEI-keychain-kc1-keyid-1] send-time 14:30 2016-10-10 to 14:50 2016-10-10 [HUAWEI-keychain-kc1-keyid-1] receive-time 14:40 2016-10-10 to 14:50 2016-10-10 [HUAWEI-keychain-kc1-keyid-1] default send-key-id [HUAWEI-keychain-kc1-keyid-1] quit [HUAWEI-keychain-kc1] quit [HUAWEI] ip ip-prefix list1 permit 10.1.1.1 32 [HUAWEI] mpls ldp [HUAWEI-mpls-ldp] authentication key-chain peer-group list1 name kc1