The md5-password peer-group command enables LDP MD5 authentication in a batch for a specified LDP peer group.
The undo md5-password peer-group command disables LDP MD5 authentication in a batch for a specified LDP peer group.
By default, MD5 authentication in a batch is disabled for all peer groups.
md5-password { plain | cipher } peer-group ip-prefix-name password
undo md5-password peer-group
| Parameter | Description | Value |
|---|---|---|
| plain |
Indicates a simple text password. A simple text password is saved in simple text in a configuration file. This format poses risks. A ciphertext password is recommended. To improve device security, periodically modify the password. |
- |
| cipher | Indicates a ciphertext password. | - |
| ip-prefix-name |
Specifies the name of an IP prefix list. The IP prefix list name is configured using the ip ip-prefix command. |
The value is a string of 1 to 169 case-sensitive characters, spaces not supported. The string can contain spaces if it is enclosed with double quotation marks ("). |
| password |
Specifies an authentication password. |
A password must not contain spaces. A simple text password is a string of 1 to 255 characters. A ciphertext password is a string of 1 to 255 characters. An MD5 ciphertext password is 20 bits to 392 bits long. The string can contain spaces if it is enclosed with double quotation marks ("). |
Usage Scenario
MD5 authentication can be configured for a TCP connection over which an LDP session is established, improving security. LDP MD5 authentication generates a unique digest for an information segment to prevent LDP packets from being modified. LDP MD5 authentication is stricter than common checksum verification for TCP connections.
If a great number of LDP peers are configured, run the md5-password peer-group command to enable MD5 authentication in a batch for LDP peers in a specified peer group. An IP prefix list can be specified to define the range of IP addresses in a group.
Prerequisites
An IP prefix list has been configured using the ip ip-prefix command.
Precautions
LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain authentication and MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1.
The session is not re-established if the passwords on both ends are the same. If the interval between password settings on both ends exceeds the session Keepalive time and the passwords become different, the session is disconnected due to a timeout, causing an LSP to be deleted.
Note that the peers of an LDP session can be configured with different authentication modes (simple text or ciphertext), but must be configured with a single password.
After the md5-password peer-group command is run, MD5 authentication takes effect on a specified LDP peer group. If MD5 authentication fails, an LDP session fails to be established.
MD5 encryption algorithm cannot ensure security. Keychain authentication is recommended.
Before a peer group is referenced, create it. By default, a nonexistent peer group cannot be specified in this command. If the route-policy nonexistent-config-check disable command is run in the system view and a nonexistent peer group is specified in this command, a local device performs MD5 authentication for each LDP session connected to each LDP peer.