dldp authentication-mode
Function
The dldp authentication-mode command configures a DLDP authentication mode.
The undo dldp authentication-mode command restores the default DLDP authentication mode.
By default, DLDP packets are not authenticated.
Format
dldp authentication-mode { md5 md5-password | simple simple-password | sha sha-password | none }
undo dldp authentication-mode [ md5 md5-password | simple simple-password | sha sha-password | none ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
md5 md5-password |
Uses MD5 to authenticate DLDP packets exchanged between the interfaces on the local and neighbor devices. md5-password specifies the MD5 authentication password. NOTE:
The password is saved in the configuration file in cipher text for security. |
The value is a string of 6 to 16 case-sensitive characters in plain text and consists of at least two of the following: lowercase letters, uppercase letters, digits, and special characters excluding question marks (?) and spaces.
NOTE:
Ciphertext passwords with various lengths configured in an earlier version are also supported in the existing version. |
simple simple-password |
Uses the plain text to authenticate DLDP packets exchanged between the interfaces on the local and neighbor devices. simple-password specifies the plain-text authentication password. NOTE:
The password is saved in the configuration file in cipher text for security. |
The value is a string of 6 to 16 case-sensitive characters in plain text and consists of at least two of the following: lowercase letters, uppercase letters, digits, and special characters excluding question marks (?) and spaces.
NOTE:
Ciphertext passwords with various lengths configured in an earlier version are also supported in the existing version. |
none |
Performs no authentication on DLDP packets exchanged between the interfaces on the local and neighbor devices. |
- |
sha sha-password |
Uses SHA2-256 mode to authenticate DLDP packets exchanged between the interfaces on the local and neighbor devices. sha-password specifies the SHA2-256 authentication password. NOTE:
The password is saved in the configuration file in cipher text for security. |
The value is a string of 6 to 16 case-sensitive characters in plain text and consists of at least two of the following: lowercase letters, uppercase letters, digits, and special characters excluding question marks (?) and spaces.
NOTE:
Ciphertext passwords with various lengths configured in an earlier version are also supported in the existing version. |
For security purposes, you are advised to use SHA as the authentication algorithm of DLDP.
Usage Guidelines
Usage Scenario
To ensure packet validity on an insecure network, users can configure one of the following authentication modes for DLDP packets:
None: The sender sets the authentication key of the DLDP packets to all 0s and the authentication type field to 0. The receiver compares the authentication key and authentication type with those set on the local end. If the settings on the two ends are different, the receiver discards the DLDP packets.
Plain text: The sender sets the authentication key of the DLDP packets to the plain-text password set on the local end and the authentication type field to 1. The receiver compares the authentication key and authentication type with those set on the local end. If the settings on the two ends are different, the receiver discards the DLDP packets.
MD5: The sender sets the authentication key of the DLDP packets to the summary of the cipher text obtained from the password set on the local end using the MD5 algorithm, and sets the authentication type field to 2. The receiver compares the authentication key and authentication type with the summary of the cipher text obtained on the local end using the MD5 algorithm. If the settings on the two ends are different, the receiver discards the DLDP packets.
SHA2-256 authentication: The sender sets the authenticator field of the DLDP packets to the digest of the cipher text obtained from the password set on the local end using the SHA2-256 algorithm, and sets the authentication type field to 3. The receiver compares the authenticator and authentication type with the digest of the cipher text obtained on the local end using the SHA2-256 algorithm. If the settings on the two ends are different, the receiver discards the DLDP packets.
When the device that uses MD5 authentication is upgraded from V200R001 or V200R002 to V200R008 or later, to ensure compatibility, upgrade the DLDP authentication mode to MD5-compatible. You can run the undo dldp authentication-mode md5-compatible command to cancel MD5-compatible authentication.
Prerequisites
DLDP has been enabled globally using the dldp enable command.
Precautions
If the dldp authentication-mode command is executed while DLDP is running, the local device deletes information about the DLDP neighbor device and triggers the neighbor device to clear information about the local device. In this way, the negotiation can be re-performed.
If the DLDP authentication mode is set, ensure that the local and neighbor devices are configured with the same DLDP authentication mode and password. If they use different DLDP authentication modes or passwords, DLDP packets cannot be authenticated. DLDP can work properly only when the two interfaces are authenticated.