Configuring PIM IPSec

Context

On a multicast network, if multicast devices are attacked by forged PIM messages, multicast data forwarding between multicast devices will be interrupted. To protect multicast devices against such attacks, configure PIM IPSec on the multicast devices to encrypt and authenticate PIM protocol messages they send and receive.

When a Huawei device connects to a non-Huawei device that can only encrypt and authenticate PIM Hello messages, configure the Huawei device to encrypt and authenticate only PIM Hello messages.

A device running PIM IPSec processes PIM protocol messages as follows:

Encapsulates PIM protocol messages with an IPSec header before sending the messages.
Drops PIM protocol messages that are not protected by IPSec or fail the authentication.

If PIM IPSec is not configured on a device, the device drops PIM protocol messages that are protected by IPSec.

PIM IPSec can be configured in the PIM view or interface view. The configuration made in the PIM view takes effect globally, and the configuration made in the interface view takes effect only on that interface. If PIM IPSec is configured in both the PIM view and interface view, the configuration in the interface view takes precedence. If PIM IPSec is not configured on an interface, the interface uses the configuration made in the PIM view.
To ensure normal multicast service forwarding, configure PIM IPSec on all PIM devices.
After PIM IPSec is enabled on a switch, all PIM packets sent from the switch are encrypted. The intermediate devices, including those running IGMP snooping, cannot interpret these PIM packets.

Procedure

Configure PIM IPSec globally.
1. Run system-view
  The system view is displayed.
2. Run pim [ vpn-instance vpn-instance-name | all-instance ]
  The PIM view is displayed.
3. Configure authentication for PIM messages.
  You can configure the switch to authenticate all PIM unicast and multicast messages or to authenticate only PIM Hello messages. Two IPSec peers must be configured with the same authentication behavior for PIM messages.
  - Run the ipsec [ unicast-message ] sa sa-name command to authenticate PIM messages sent and received by the device based on a specified SA.
    
    If you specify the unicast-message keyword in the command, the switch authenticates only PIM unicast messages. If you do not specify this keyword, the switch authenticates only PIM multicast messages.
  - Run the hello ipsec sa sa-name command to authenticate PIM Hello messages sent and received in a specified SA.
  If the ipsec sa sa-name and hello ipsec sa sa-name commands are both configured, the command configured later overrides the earlier configuration.
Configure PIM IPSec on an interface.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. (Optional) On an Ethernet interface, run undo portswitch
  The interface is switched to Layer 3 mode.
  
  By default, an Ethernet interface works in Layer 2 mode.
  
  Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.
4. Configure authentication for PIM messages.
  You can configure authentication for all the PIM messages or only PIM Hello messages on an interface. Two IPSec peers must be configured with the same authentication behavior for PIM messages.
  - Run the pim ipsec sa sa-name command to authenticate PIM messages sent and received on the interface based on a specified SA.
  - Run the pim hello ipsec sa sa-name command to authenticate PIM Hello messages sent and received in a specified SA.
  If the pim ipsec sa sa-name and pim hello ipsec sa sa-name commands are both configured, the command configured later overrides the command configured earlier.