The ipsec unicast-message sa command globally specifies a security association (SA) using which interfaces authenticate sent and received IPv4/IPv6 PIM unicast messages to implement IPv4/IPv6 PIM IPsec authentication.
The undo ipsec unicast-message sa command restores the default configuration.
By default, no SA is specified globally, so that interfaces do not authenticate sent or received IPv4/IPv6 PIM unicast messages.
| Parameter | Description | Value |
|---|---|---|
| sa-name |
Specifies the name of an SA. |
It is a string of 1 to 15 case-sensitive characters, spaces not supported. The characters can be letters or numbers, hyphens (-) not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Scenario
On a multicast network, forged IPv6 PIM messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IPv6 PIM messages, run the ipsec sa command to configure the device to authenticate the sent and received IPv6 PIM messages based on a specified SA.
On a multicast network, forged IPv4 PIM messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IPv4 PIM messages, run the ipsec sa command to configure the device to authenticate sent and received IPv4 PIM messages based on a specified SA.Prerequisites
Basic IPsec functions have been configured.