The hello ipsec sa command globally specifies a security association (SA) using which interfaces authenticate sent and received IPv6 PIM Hello messages to implement IP Security (IPsec) authentication.
The undo hello ipsec sa command restores the default configuration.
By default, no SA is specified globally, so that a device does not authenticate sent or received IPv6 PIM Hello messages.
| Parameter | Description | Value |
|---|---|---|
| sa-name |
Specifies the name of an SA. |
It is a string of 1 to 15 case-sensitive characters, spaces not supported. The characters can be letters or numbers, hyphens (-) not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Scenario
On a multicast network, forged IPv6 PIM Hello messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IPv6 PIM Hello messages, run the hello ipsec sa command to configure the device to authenticate sent and received IPv6 PIM Hello messages based on a specified SA.
Some non-Huawei devices can encrypt and authenticate only IPv6 PIM Hello messages. Therefore, the hello ipsec sa command configuration allows a Huawei device to perform IPsec authentication only for IPv6 PIM Hello messages.Prerequisites
Precautions
If the hello ipsec sa command is run more than once, the latest configuration overrides the previous one. If the hello ipsec sa and ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
The function of this command is the same as the function of the pim ipv6 hello ipsec sa command in the interface view. The configuration in the interface view takes precedence over the configuration in the IPv6 PIM view. The configuration in the IPv6 PIM view is used only when the configuration in the interface view is not available.