The ipsec sa command globally specifies a security association (SA) using which interfaces authenticate sent and received Multicast Listener Discovery (MLD) messages, including MLD Report, MLD Done, and MLD Query messages, to implement IP Security (IPsec) authentication.
The undo ipsec sa command restores the default configuration.
By default, no SA is specified globally, so that interfaces do not authenticate sent or received MLD messages.
| Parameter | Description | Value |
|---|---|---|
| sa-name |
Specifies the name of an SA. |
It is a string of 1 to 15 case-sensitive characters, spaces not supported. The characters can be letters or numbers, hyphens (-) not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Scenario
On a multicast network, forged MLD messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged MLD messages, run the ipsec sa command to configure the device to authenticate the sent and received MLD messages based on a specified SA.
Prerequisites
Precautions
If the query ipsec sa command is run more than once, the latest configuration overrides the previous one. If the query ipsec sa and ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
The function of this command is the same as that of the mld ipsec sa command used in the interface view. The configuration in the MLD view is used only when the configuration in the interface view is not available.