dhcp server database authentication-mode

Function

The dhcp server database authentication-mode command configures the integrity authentication mode for the lease.txt and conflict.txt files.

The undo dhcp server database authentication-mode command restores the integrity authentication mode of the lease.txt and conflict.txt files to check.

By default, the file integrity authentication mode is check.

Format

dhcp server database authentication-mode { check | no-check | force-check }

undo dhcp server database authentication-mode [ check | no-check | force-check ]

Parameters

Parameter	Description	Value
check	Indicates that the authentication mode is check. If the file is a historical version file that does not carry the file integrity authentication code, the data is directly restored. If the file is a new version file that carries the file integrity authentication code, the file integrity authentication is performed before the data is restored.	-
no-check	Indicates that the file integrity authentication is not performed and data is directly restored.	-
force-check	Indicates that the authentication mode is force-check. If the file is a historical version file that does not carry the file integrity authentication code, the data is not restored. If the file is a new version file that carries the file integrity authentication code, the file integrity authentication is performed before the data is restored.	-

Parameter

Description

Value

check

Indicates that the authentication mode is check. If the file is a historical version file that does not carry the file integrity authentication code, the data is directly restored. If the file is a new version file that carries the file integrity authentication code, the file integrity authentication is performed before the data is restored.

no-check

Indicates that the file integrity authentication is not performed and data is directly restored.

force-check

Indicates that the authentication mode is force-check. If the file is a historical version file that does not carry the file integrity authentication code, the data is not restored. If the file is a new version file that carries the file integrity authentication code, the file integrity authentication is performed before the data is restored.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
dhcp	write

Usage Guidelines

Usage Scenario

To prevent data loss caused by device faults, you can enable the DHCPv4 address pool data saving and restoration functions. The system generates lease.txt and conflict.txt files in the dhcp folder to save normal address lease information and address conflict information, respectively. To prevent the lease.txt and conflict.txt files from being tampered with, the encrypted file integrity authentication code is added to the lease.txt and conflict.txt files. After the device is restarted, the system decrypts the file integrity authentication code and verifies the file integrity based on the decrypted file integrity authentication code before restoring the address lease information and address conflict information from the lease.txt and conflict.txt files. If the verification is successful, the data is restored. If the verification fails, the data is discarded and a log is recorded.

If you need to manually modify the file content, run the dhcp server database authentication-mode no-check command to set the file integrity authentication mode to no-check before the restart.
The root keys for decrypting and encrypting the file integrity authentication code must be the same. If the root keys are different, the decryption fails. The root keys of different devices are different. If you need to use the backup files generated on other devices to restore data, run the dhcp server database authentication-mode no-check command to set the file integrity authentication mode to no-check before the restart.
To be compatible with earlier versions, a device can be restarted to restore data of a historical version file that does not carry the file integrity authentication code. To prevent data tampering based on historical version files, you can run the dhcp server database authentication-mode force-check command to set the file integrity authentication mode to force-check before the restart.

Precautions

After the dhcp server database authentication-mode force-check command is run, historical version files that do not carry the file integrity authentication code cannot be restored. Therefore, exercise caution when running this command.
If the lease.txt file fails to be verified, it is renamed lease.txt.fail and saved.
If the conflict.txt file fails to be verified, it is renamed conflict.txt.fail and saved.

Example

# Set the file integrity authentication mode to no-check.

<HUAWEI> system-view
[~HUAWEI] dhcp server database authentication-mode no-check