md5-password peer-group

Function

The md5-password peer-group command enables LDP MD5 authentication in a batch for a specified LDP peer group.

The undo md5-password peer-group command disables LDP MD5 authentication in a batch for a specified LDP peer group.

By default, MD5 authentication in a batch is disabled for all peer groups.

Format

md5-password plain peer-group ip-prefix-name password

md5-password cipher peer-group ip-prefix-name password-cipher

undo md5-password peer-group

Parameters

Parameter Description Value
ip-prefix-name

Specifies the name of an IP prefix list. The IP prefix list name is configured using the ip ip-prefix command.

The value is a string of 1 to 169 case-sensitive characters. It cannot contain spaces. The string can contain spaces if it is enclosed with double quotation marks (").
password

Specifies an authentication password.

  • The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters.
  • For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.

A password must not contain spaces. A simple text password is a string of 1 to 255 characters. A ciphertext password is a string of 1 to 255 characters. An MD5 ciphertext password is 20 bits to 432 bits long.

The string can contain spaces if it is enclosed with double quotation marks (").
cipher

Indicates a ciphertext password.

-
password-cipher

Specifies an authentication password.

A password must not contain spaces.

The string can contain spaces if it is enclosed with double quotation marks (").
plain

Indicates a simple text password.

A simple text password is saved in simple text in a configuration file. This format poses risks. A ciphertext password is recommended. To improve device security, periodically modify the password.

-

Views

MPLS-LDP-VPN instance view, MPLS-LDP view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
mpls-ldp write

Usage Guidelines

Usage Scenario

MD5 authentication can be configured for a TCP connection over which an LDP session is established, improving security. LDP MD5 authentication generates a unique digest for an information segment to prevent LDP packets from being modified. LDP MD5 authentication is stricter than common checksum verification for TCP connections.

If a great number of LDP peers are configured, run the md5-password peer-group command to enable MD5 authentication in a batch for LDP peers in a specified peer group. An IP prefix list can be specified to define the range of IP addresses in a group.

Prerequisites

An IP prefix list has been configured using the ip ip-prefix command.

Configuration Impact

After the md5-password peer-group command is run, MD5 authentication takes effect on a specified LDP peer group. If MD5 authentication fails, an LDP session fails to be established.

Precautions

  • LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain authentication and MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1.
  • The session is not re-established if the passwords on both ends are the same. If the interval between password settings on both ends exceeds the session Keepalive time and the passwords become different, the sessions are disconnected due to a timeout, causing an LSP to be deleted.
  • Note that the peers of an LDP session can be configured with different authentication modes (simple text or ciphertext), but must be configured with a single password.
  • The encryption algorithm MD5 has a low security, which may bring security risks. Using more secure authentication is recommended.

Example

# Enable LDP MD5 authentication for LDP peers with IP addresses matching the IP prefix list named list1.
<HUAWEI> system-view
[~HUAWEI] ip ip-prefix list1 permit 4.4.4.4 32
[*HUAWEI] mpls
[*HUAWEI-mpls] quit
[*HUAWEI] mpls ldp
[*HUAWEI-mpls-ldp] md5-password cipher peer-group list1 Huawei-123
Parent Topic: MPLS LDP Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >