authentication tcp-ao

Function

The authentication tcp-ao command enables Label Distribution Protocol (LDP) TCP-AO authentication.

The undo authentication tcp-ao command disables LDP TCP-AO authentication.

By default, LDP TCP-AO authentication is not enabled. Configuring LDP TCP-AO authentication is recommended to improve device security.

Format

authentication tcp-ao peer peer-id name tcpao-name

undo authentication tcp-ao peer peer-id

Parameters

Parameter	Description	Value
name tcpao-name	Specifies the referenced tcpao name. The tcpao name is specified using the tcpao command.	The value is a string of 1 to 47 characters. It cannot contain spaces.
peer peer-id	Specifies the ID of a peer that uses LDP tcpao authentication. The LDP peer ID is specified using the mpls lsr-id command.	The value is in dotted decimal notation.

Parameter

Description

Value

name tcpao-name

Specifies the referenced tcpao name. The tcpao name is specified using the tcpao command.

The value is a string of 1 to 47 characters. It cannot contain spaces.

peer peer-id

Specifies the ID of a peer that uses LDP tcpao authentication. The LDP peer ID is specified using the mpls lsr-id command.

The value is in dotted decimal notation.

Views

MPLS-LDP-VPN instance view, MPLS-LDP view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
mpls-ldp	write

Usage Guidelines

Usage Scenario

The TCP-AO authentication option is used to authenticate packets sent and received during TCP session establishment and data exchange. It supports packet integrity check to prevent TCP packet replay.

After configuring the TCP-AO node, specify the peer and name of the TCP-AO node to be referenced in the MPLS LDP view. Then, the LDP sessions can be encrypted. Different peers can reference the same TCP-AO configuration node.

The password configured in a bound keychain is used in TCP-AO. The password can be automatically switched based on the configuration. However, the configuration process is complex and applies to networks that require high security performance.

Before configuring LDP TCP-AO authentication, configure global TCP-AO authentication.

Configuration Impact

After the authentication tcp-ao command is run, the referenced TCP-AO applies to a specified peer.

Precautions

For the same peer, the configured TCP-AO, MD5, and keychain security mechanisms are mutually exclusive with each other. The encryption algorithm MD5 has a low security, which may bring security risks. Using more secure authentication is recommended.
Configuring LDP TCP-AO authentication may cause LDP session reestablishment.
When you run the authentication tcp-ao command, ensure that the specified TCP-AO exists.

Example

# Configure TCP-AO authentication on a peer with LSR ID 2.2.2.2 and set the name of the referenced TCP-AO authentication to ao1.

<HUAWEI> system
[~HUAWEI] keychain kc1 mode absolute
[*HUAWEI-keychain-kc1] receive-tolerance 600
[*HUAWEI-keychain-kc1] key-id 1
[*HUAWEI-keychain-kc1-keyid-1] algorithm sha-256
[*HUAWEI-keychain-kc1-keyid-1] key-string cipher abc1
[*HUAWEI-keychain-kc1-keyid-1] send-time 00:00 2021-1-1 to 23:59 2022-2-1
[*HUAWEI-keychain-kc1-keyid-1] receive-time 00:00 2021-1-1 to 23:59 2022-2-1
[*HUAWEI-keychain-kc1-keyid-1] quit
[*HUAWEI-keychain-kc1] tcp ao ao1
[*HUAWEI-tcp-ao-ao1] binding keychain kc1
[*HUAWEI-tcp-ao-ao1] key-id 1
[*HUAWEI-tcp-ao-ao1-key-1] send-id 1 receive-id 1
[*HUAWEI-tcp-ao-ao1-key-1] quit
[*HUAWEI-tcp-ao-ao1] quit
[*HUAWEI] mpls
[*HUAWEI-mpls] mpls ldp
[*HUAWEI-mpls-ldp] authentication tcp-ao peer 2.2.2.2 name ao1