peer tcp-ao

Function

The peer tcp-ao command applies a TCP-AO policy to a Multicast Source Discovery Protocol (MSDP) peer, so that the peer can use this TCP-AO to authenticate TCP connection setup and MSDP message exchange requests.

The undo peer tcp-ao command cancels TCP-AO authentication for an MSDP peer.

By default, TCP-AO authentication is not configured for an MSDP peer. Configuring TCP-AO authentication is recommended to improve system security.

Format

peer peer-address tcp-ao tcpAoName

undo peer peer-address tcp-ao [ tcpAoName ]

Parameters

Parameter	Description	Value
peer-address	Specifies the address of an MSDP peer.	The value is in dotted decimal notation.
tcpAoName	Specifies the name of a TCP-AO.	The value must be a tcpAoName parameter value specified in the TCP-AO command. The value is a string of 1 to 47 characters.

Parameter

Description

Value

peer-address

Specifies the address of an MSDP peer.

The value is in dotted decimal notation.

tcpAoName

Specifies the name of a TCP-AO.

The value must be a tcpAoName parameter value specified in the TCP-AO command. The value is a string of 1 to 47 characters.

Views

VPN instance MSDP view, MSDP view of a public network instance

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
msdp	write

Usage Guidelines

Usage Scenario

To improve system security, run the peer keychain command to apply a TCP-AO to an MSDP peer, so that the peer can use this TCP-AO to authenticate TCP connection setup and MSDP message exchange requests. TCP-AO implements higher MSDP peer authentication security than the message-digest algorithm 5 (MD5).

Prerequisites

The multicast routing function has been enabled using the multicast routing-enable command in the public network instance view or VPN instance view.
MSDP peers have been configured.
A TCP-AO name has been specified using the TCP-AO policy name parameter in the tcp ao command. Otherwise, a TCP connection cannot be set up.

Configuration Impact

If the peer tcp-ao command is run more than once, the latest configuration overrides the previous one.

Precautions

To use TCP-AO authentication, you must configure TCP-AO authentication on both MSDP peers, as well as the same encryption algorithms and passwords on both peers; otherwise, a TCP connection cannot be set up, and MSDP messages cannot be transmitted.
The MSDP MD5 authentication and MSDP TCP-AO authentication are mutually exclusive.
The MD5 encryption algorithm has low security and has security risks. You are advised to use the MSDP TCP-AO encryption algorithm.
MD5 and keychain authentication are exclusive with TCP-AO authentication.

Example

# In the public network instance, apply the TCP-AO named huawei to the MSDP peer 1.1.1.2.

<HUAWEI> system-view
[*HUAWEI-keychain-aaa] receive-tolerance 100
[*HUAWEI-keychain-aaa] key-id 1
[*HUAWEI-keychain-aaa-keyid-1] algorithm sha-256
[*HUAWEI-keychain-aaa-keyid-1] key-string cipher Huawei-13579
[*HUAWEI-keychain-aaa-keyid-1] send-time 01:00 2021-02-22 to 23:00 2022-02-23
[*HUAWEI-keychain-aaa-keyid-1] receive-time 01:00 2021-02-22 to 23:00 2022-02-23
[*HUAWEI-keychain-aaa-keyid-1] default send-key-id
[*HUAWEI-keychain-aaa-keyid-1] quit
[*HUAWEI-keychain-aaa] quit
[*HUAWEI] tcp ao Huawei
[*HUAWEI-tcp-ao-Huawei] binding keychain aaa
[*HUAWEI-tcp-ao-Huawei] key-id 1
[*HUAWEI-tcp-ao-Huawei-key-1] send-id 1 receive-id 1
[*HUAWEI-tcp-ao-Huawei-key-1] quit
[*HUAWEI-tcp-ao-Huawei] quit
[~HUAWEI] interface loopback1
[*HUAWEI-LoopBack1] quit
[*HUAWEI] multicast routing-enable
[*HUAWEI] msdp
[*HUAWEI-msdp] peer 1.1.1.2 connect-interface LoopBack 1
[*HUAWEI-msdp] peer 1.1.1.2 tcp-ao Huawei