authentication key-chain (MPLS LDP)

Function

The authentication key-chain all command enables keychain authentication in a batch for all LDP peers.

The undo authentication key-chain all command disables keychain authentication in a batch for all LDP peers.

The authentication key-chain peer-group command enables keychain authentication in a batch for a specified LDP peer group.

The undo authentication key-chain peer-group command disables keychain authentication in a batch for a specified LDP peer group.

By default, LDP keychain authentication is not enabled. Configuring LDP keychain authentication is recommended to improve device security.

Format

authentication key-chain { all | peer-group ip-prefix-name } name keychain-name

undo authentication key-chain { all | peer-group }

Parameters

Parameter	Description	Value
ip-prefix-name	Specifies the name of an IP prefix list. The IP prefix list name is configured using the ip ip-prefix command.	The value is a string of 1 to 169 case-sensitive characters. It cannot contain spaces. The string can contain spaces if it is enclosed with double quotation marks (").
name keychain-name	Specifies a keychain name. The keychain name is configured using the keychain command.	The value is a string of 1 to 47 case-insensitive characters. The string does not contain question marks or spaces. The string can contain spaces if it is enclosed with double quotation marks (").

Parameter

Description

Value

ip-prefix-name

Specifies the name of an IP prefix list. The IP prefix list name is configured using the ip ip-prefix command.

The value is a string of 1 to 169 case-sensitive characters. It cannot contain spaces. The string can contain spaces if it is enclosed with double quotation marks (").

name keychain-name

Specifies a keychain name. The keychain name is configured using the keychain command.

The value is a string of 1 to 47 case-insensitive characters. The string does not contain question marks or spaces. The string can contain spaces if it is enclosed with double quotation marks (").

Views

MPLS-LDP-VPN instance view, MPLS-LDP view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
mpls-ldp	write

Usage Guidelines

Usage Scenario

To help improve LDP session security, keychain authentication can be configured for a TCP connection over which an LDP session has been established. If a great number of LDP peers are configured, run the authentication key-chain peer-group command to enable keychain authentication in a batch for LDP peers in a specified peer group. An IP prefix list can be specified to define the range of IP addresses in a group. Or run the authentication key-chain all command to enable keychain authentication in a batch for all LDP peers.

Prerequisites

A keychain has been configured using the keychain command.

The following steps have been performed:

An IP prefix list has been configured using the ip ip-prefix command.
A peer group is created using the peer group command.
A keychain has been configured using the keychain command.

Configuration Impact

After the authentication key-chain peer-group command is run, the referenced Keychain authentication is applied to a specified peer. If keychain authentication fails, an LDP session fails to be established.

Precautions

LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers.
Configuring LDP Keychain authentication causes the reestablishment of LDP sessions.
When you run the authentication key-chain all command, the specified Keychain must exist. if the Keychain to be specified is deleted, the established session may be interrupted. Therefore, exercise caution When running this command.

Example

# Configure LDP keychain authentication for all LDP peers and use the keychain named kc1.

<HUAWEI> system-view
[~HUAWEI] keychain kc1 mode absolute
[*HUAWEI-keychain-kc1] key-id 1
[*HUAWEI-keychain-kc1-keyid-1] algorithm sha-1
[*HUAWEI-keychain-kc1-keyid-1] key-string abcDEF-13579
[*HUAWEI-keychain-kc1-keyid-1] send-time 14:30 2008-10-10 to 14:50 2008-10-10
[*HUAWEI-keychain-kc1-keyid-1] receive-time 14:40 2008-10-10 to 14:50 2008-10-10
[*HUAWEI-keychain-kc1-keyid-1] default send-key-id
[*HUAWEI-keychain-kc1-keyid-1] quit
[*HUAWEI-keychain-kc1] quit
[*HUAWEI] mpls ldp
[*HUAWEI-mpls-ldp] authentication key-chain all name kc1

# Enable LDP keychain authentication for LDP peers with IP addresses matching the IP prefix list named list1 in a specified peer group and use a keychain named kc1.

<HUAWEI> system-view
[~HUAWEI] keychain kc1 mode absolute
[*HUAWEI-keychain-kc1] key-id 1
[*HUAWEI-keychain-kc1-keyid-1] algorithm sha-1
[*HUAWEI-keychain-kc1-keyid-1] key-string abcDEF-13579
[*HUAWEI-keychain-kc1-keyid-1] send-time 14:30 2008-10-10 to 14:50 2008-10-10
[*HUAWEI-keychain-kc1-keyid-1] receive-time 14:40 2008-10-10 to 14:50 2008-10-10
[*HUAWEI-keychain-kc1-keyid-1] default send-key-id
[*HUAWEI-keychain-kc1-keyid-1] quit
[*HUAWEI-keychain-kc1] quit
[*HUAWEI] ip ip-prefix list1 permit 4.4.4.4 32
[*HUAWEI] mpls
[*HUAWEI-mpls] quit
[*HUAWEI] mpls ldp
[*HUAWEI-mpls-ldp] authentication key-chain peer-group list1 name kc1