The ipsec sa command globally specifies a security association (SA) using which interfaces authenticate sent and received IPv6 PIM messages to implement IPv6 PIM IP Security (IPsec) authentication.
The undo ipsec sa command restores the default configuration.
By default, no SA is specified globally, so that interfaces do not authenticate sent or received IPv6 PIM messages.
| Parameter | Description | Value |
|---|---|---|
| sa-name |
Specifies the name of an SA. |
It is a string of 1 to 15 case-sensitive characters, spaces not supported. The characters can be letters or numbers, hyphens (-) not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Scenario
On a multicast network, forged IPv6 PIM messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IPv6 PIM messages, run the ipsec sa command to configure the device to authenticate the sent and received IPv6 PIM messages based on a specified SA.
Prerequisites
Precautions
If the ipsec sa command is run more than once, the latest configuration overrides the previous one. If the ipsec sa and hello ipsec sa commands are both configured, the command configured later overrides the command configured earlier.