ipsec unicast-message sa

Function

The ipsec unicast-message sa command globally specifies a security association (SA) using which interfaces authenticate sent and received unicast IPv6 PIM messages to implement IPv6 PIM IP Security (IPsec) authentication.

The undo ipsec unicast-message sa command restores the default configuration.

By default, no SA is specified globally, so that interfaces do not authenticate sent or received IPv6 PIM messages.

Format

ipsec unicast-message sa sa-name

undo ipsec unicast-message sa

Parameters

Parameter Description Value
sa-name

Specifies the name of an SA.

It is a string of 1 to 15 case-sensitive characters, spaces not supported. The characters can be letters or numbers, hyphens (-) not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

IPv6 PIM view, VPN instance IPv6 PIM view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
pim write

Usage Guidelines

Usage Scenario

On a multicast network, forged IPv6 PIM messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IPv6 PIM messages, run the ipsec sa command to configure the device to authenticate the sent and received IPv6 PIM messages based on a specified SA.

Prerequisites

  • Multicast has been enabled using the multicast ipv6 routing-enable command.
  • Basic IPsec functions have been configured.

Example

# Globally configure interfaces to authenticate sent and received IPv6 PIM messages based on the SA named sa1.
<HUAWEI> system-view
[~HUAWEI] multicast ipv6 routing-enable
[*HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] quit
[*HUAWEI] pim-ipv6
[*HUAWEI-pim6] ipsec unicast-message sa
Parent Topic: IPv6 PIM Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >