Layer 3 Multicast

Security Policy Introduction

PIM neighbor filtering

ACL rules can be configured on interfaces to filter received Hello packets. Neighbor relationships can be established only after the Hello packets pass the filtering.

If a large number of malicious Hello packets exist, configure rules on interfaces so that the interfaces allow only specified Hello packets to pass through and discard malicious Hello packets.
PIM Join message filtering

ACL rules can be configured on interfaces to filter received Join messages. This can prevent attacks initiated using malicious Join messages.

If a large number of malicious Join messages exist, configure rules on interfaces so that the interfaces allow only specified Join messages to pass through and discard malicious Join messages.
IPv4/IPv6 PIM IPsec authentication

IPsec authentication can be configured on interfaces to authenticate IPv4/IPv6 PIM messages. With IPv4/IPv6 PIM IPsec configured, the IPv4/IPv6 PIM messages that are not protected by IPsec or fail to be authenticated are discarded.
MSDP whitelist

MSDP is implemented based on the whitelist. MSDP establishes a stable link with the peer to construct the peer remote address, local interface address, remote port number, local port number, and IP protocol number (TCP). The call component interface instructs the underlayer to transmit the messages meeting these conditions first (the priority policy depends on the implementation at the underlayer). After the MSDP neighbor relationship is torn down, the call component interface instructs the underlayer to delete the policy of preferentially transmitting the messages meeting the conditions.

The malicious messages that do not match the whitelist are discarded. This effectively prevents attacks that are conducted through malicious messages.
MSDP MD5 authentication

MD5 authentication can be configured on MSDP peers to provide security protection. Make sure you enable MD5 authentication and the same authentication password for both MSDP peers. After this function is enabled, the transmit peer sends an MD5-encrypted MSDP message, which is transferred to the receive peer over a TCP connection. The receive peer decrypts the MSDP message by following the uniform MD5 encryption rules and the key contained the message. After decrypting the message successfully, the receive peer reports the message to the MSDP module for processing. Only the MSDP messages passing MD5 authentication are processed. This effectively prevents attacks that are conducted using malicious messages.

MD5 authentication is insecure. Keychain authentication is recommended.
MSDP keychain authentication

Multicast MSDP supports keychains. Keychains and new TCP extension options can be used to configure a group of passwords for each TCP connection. Each password can be configured with different encryption algorithms and validity periods. Passwords can be changed at any time, which greatly improves the security of encrypted messages. Only the messages that are authenticated using a keychain are processed. This effectively prevents attacks conducted using malicious messages.
TCP-AO authentication
Configuring TCP-AO authentication can enhance the security of the TCP connections between MSDP peers. Compared with MD5 authentication, MSDP TCP-AO authentication applies to networks that require high security.
Source address-based IGMP/MLD message filtering

ACL rules can be configured on interfaces to filter received IGMP/MLD messages. This can prevent attacks initiated using malicious IGMP/MLD messages.

If a large number of malicious IGMP/MLD messages exist, configure rules on interfaces so that the interfaces allow only the IGMP/MLD messages with specified source IP addresses to pass through and discard malicious IGMP/MLD messages.
IGMP/MLD IPsec authentication

IPsec authentication can be configured on interfaces to authenticate IGMP//MLD messages. With IGMP/MLD IPsec configured, the IGMP/MLD messages that are not protected by IPsec or fail to be authenticated are discarded.

Attack Methods

Attacks can be initiated through malicious IGMP/MLD messages. To configure a device to discard such malicious messages, you can configure source address-based IGMP/MLD message filtering. The possible attack methods are as follows:

Attackers send malicious Report messages of an earlier protocol version to join a multicast group to force the multicast group to work in the mode that is compatible with the earlier version. In this mode, when all hosts leave the multicast group, their Leave messages are not processed. As a result, traffic corresponding to the multicast group is still sent until the multicast group times out although it has no members.
Attackers send Leave messages or IGMPv3 status change Report messages. In this case, routers and all multicast group members respond to source-specific or source/group-specific information query, but services of the multicast group or (S, G) are not interrupted.
Attackers send IGMP Query messages with lower IP addresses. In this case, the querier becomes invalid and no longer responds to the prompt-leave of multicast group members. As a result, traffic of the multicast group is forwarded for one more period of the membership timer even if there is no member in the multicast group.
By intercepting General Query messages, attackers learn multicast group members and send a large number of source-and-group-specific Query messages with a list of a large number of sources and a long query response delay. As a result, hosts process the query during the response delay, which consumes a large number of CPU and memory resources.

Procedure

PIM neighbor filtering
1. Run system-view
  The system view is displayed.
2. Configure a basic numbered ACL or a naming ACL as needed.
  - Configure a basic numbered ACL.
    1. Run acl [ number ] basic-acl-number [ match-order { auto | config } ]
      A basic numbered ACL is created, and the basic numbered ACL view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } source { source-ip-address { source-wildcard | 0 } | any }
      Rules are configured for the basic numbered ACL.
  - Configure a naming ACL.
    1. Run acl name acl-name basic [ match-order { auto | config } ]
      A naming ACL is created, and the naming ACL view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } source { source-ip-address { source-wildcard | 0 } | any }
      Rules are configured for the naming ACL.
3. Run quit
  Return to the system view.
4. Run interface interface-type interface-number
  The PIM interface view is displayed.
5. Run pim neighbor-policy { basic-acl-number | acl-name acl-name }
  A neighbor filtering policy is configured.
  
  The neighbor filtering policy defines the range of valid neighbor addresses. The router discards Hello messages received from the routers that are not in this address range.
  - If a peer matches an ACL and the action is permit, the local router sets up a neighbor relationship with this peer.
  - If a peer matches an ACL and the action is deny, the local router does not set up a neighbor relationship with this peer.
  - If a peer does not match any ACL rule, the local router does not set up a neighbor relationship with this peer.
  - If a specified ACL does not exist or does not contain rules, the local router does not set up neighbor relationships with any peers.
6. Run commit
  The configuration is committed.
PIM Join message filtering
1. Run system-view
  The system view is displayed.
2. Configure a basic or an advanced ACL as needed.
  - Configure a basic ACL.
    1. Run acl [ number ] basic-acl-number [ match-order { auto | config } ]
      A basic ACL is created, and the basic ACL view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } source { source-ip-address { source-wildcard | 0 } | any }
      Rules are configured for the basic ACL.
  - Configure an advanced ACL.
    1. Run acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ]
      
      An advanced ACL is created, and the advanced ACL view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } ip [ destination { destination-ip-address { destination-wildcard | 0 } | any } | source { source-ip-address { source-wildcard | 0 } | any } ] ^*
      
      Rules are configured for the advanced ACL.
3. Run quit
  Return to the system view.
4. Run interface interface-type interface-number
  The PIM interface view is displayed.
5. Run pim join-policy { { advanced-acl-number | acl-name acl-name } | asm { basic-acl-number | acl-name acl-name } | ssm { advanced-acl-number | acl-name acl-name } }
  A policy is created for filtering join information in Join/Prune messages.
  
  The router filters join information in Join/Prune messages based on source addresses or both source and group addresses.
  
  If asm is specified, run the rule command in the basic ACL view and set the source parameter to the multicast group address range of join information.
  
  If ssm is specified, run the rule command in the advanced ACL view, set the source parameter to the multicast source address range of join information, and set the destination parameter to the multicast group address range of join information.
  - If a Join message's join information matches an ACL rule and the action is permit, the device permits this message.
  - If a Join message's join information matches an ACL rule and the action is deny, the device denies this message.
  - If a Join message's join information does not match any ACL rule, the device denies this message.
  - If a specified ACL does not exist or does not contain rules, the device denies all Join messages that contain join information.
6. Run commit
  The configuration is committed.
Configure IPv4 PIM IPsec in the PIM view.
- Configure IPsec authentication for IPv4 PIM messages.
1. Run system-view
  The system view is displayed.
2. Run pim [ vpn-instance vpn-instance-name ]
  The PIM view is displayed.
3. Run ipsec [ unicast-message ] sa sa-name
  IPv4 PIM IPsec is configured globally, enabling the device to authenticate the sent and received IPv4 PIM messages based on the specified SA.
  
  If you specify unicast-message in the command, the device authenticates only the sent and received IPv4 PIM unicast messages based on the specified SA.
4. Run commit
  The configuration is committed.
- Configure IPsec authentication for IPv4 PIM Hello messages.
1. Run system-view
  The system view is displayed.
2. Run pim [ vpn-instance vpn-instance-name ]
  The PIM view is displayed.
3. Run hello ipsec sa sa-name
  IPv4 PIM IPsec is configured globally, enabling the device to authenticate the sent and received IPv4 PIM Hello messages based on the specified SA.
4. Run commit
  The configuration is committed.
If the ipsec sa and hello ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
Configure IPv4 PIM IPsec in the interface view.
- Configure IPsec authentication for IPv4 PIM messages.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run pim ipsec sa sa-name
  IPv4 PIM IPsec is configured on the interface, enabling the interface to authenticate the sent and received IPv4 PIM messages based on the specified SA.
4. Run commit
  The configuration is committed.
- Configure IPsec authentication for IPv4 PIM Hello messages.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run pim hello ipsec sa sa-name
  IPv4 PIM IPsec is configured on the interface, enabling the interface to authenticate the sent and received IPv4 PIM Hello messages based on the specified SA.
4. Run commit
  The configuration is committed.
If the pim ipsec sa and pim hello ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
Configure IPv6 PIM IPsec in the IPv6 PIM view.
- Configure IPsec authentication for IPv6 PIM messages.
1. Run system-view
  The system view is displayed.
2. Run pim-ipv6
  The IPv6 PIM view is displayed.
3. Run ipsec [ unicast-message ] sa sa-name
  IPv6 PIM IPsec is configured globally, enabling the device to authenticate the sent and received IPv6 PIM messages based on the specified SA policy. If you specify unicast-message in the command, the device authenticates only the sent and received IPv6 PIM unicast messages based on the specified SA policy.
4. Run commit
  The configuration is committed.
- Configure IPsec authentication for IPv6 PIM Hello messages.
1. Run system-view
  The system view is displayed.
2. Run pim-ipv6
  The IPv6 PIM view is displayed.
3. Run hello ipsec sa sa-name
  IPv6 PIM IPsec is configured globally, enabling the device to authenticate the sent and received IPv6 PIM Hello messages based on the specified SA policy.
4. Run commit
  The configuration is committed.
If the ipsec sa and hello ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
Configure IPv6 PIM IPsec in the interface view.
- Configure IPsec authentication for IPv6 PIM messages.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run pim ipv6 ipsec sa sa-name
  IPv6 PIM IPsec is configured on the interface, enabling the interface to authenticate the sent and received IPv6 PIM messages based on the specified SA policy.
4. Run commit
  The configuration is committed.
- Configure IPsec authentication for IPv6 PIM Hello messages.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run pim ipv6 hello ipsec sa sa-name
  IPv6 PIM IPsec is configured on the interface, enabling the interface to authenticate the sent and received IPv6 PIM Hello messages based on the specified SA policy.
4. Run commit
  The configuration is committed.
If the pim ipv6 ipsec sa and pim ipv6 hello ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
MSDP whitelist
MSDP establishes a stable link with the peer.
Configure MSDP MD5 authentication.
1. Run system-view
  The system view is displayed.
2. Run msdp [ vpn-instance vpn-instance-name ]
  The MSDP view is displayed.
3. Run peer peer-address password { cipher cipher-password | simple simple-password }
  MSDP MD5 authentication is configured.
  - The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space.
  - For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.
  MD5 authentication can be configured on MSDP peers to provide security protection. Make sure you enable MD5 authentication and the same authentication password for both MSDP peers. After this function is enabled, the transmit peer sends an MD5-encrypted MSDP message, which is transferred to the receive peer over a TCP connection. The receive peer decrypts the MSDP message by following the uniform MD5 encryption rules and the key contained the message. After decrypting the message successfully, the receive peer reports the message to the MSDP module for processing. Only the MSDP messages passing MD5 authentication are processed. This effectively prevents attacks that are conducted using malicious messages.
4. Run commit
  The configuration is committed.
Configure MSDP keychain authentication.
1. Run system-view
  The system view is displayed.
2. Run msdp [ vpn-instance vpn-instance-name ]
  The MSDP view is displayed.
3. Run peer peer-address keychain keychain-name
  MSDP keychain authentication is configured.
  
  Keychain and new TCP extension options enable each TCP connection to be configured with a password. You can set different encryption algorithms and validity periods for passwords. In addition, passwords can be changed at any time. This significantly improves security of encrypted packets. Only MSDP messages that are authenticated using a keychain are processed. This effectively prevents attacks conducted using malicious messages.
  
  To implement keychain authentication, you must also configure keychain authentication on the MSDP peer. Encryption algorithms and passwords configured for Keychain authentication on both peers must be the same; otherwise, the TCP connection cannot be set up between MSDP peers and MSDP messages cannot be transmitted.
  
  Before configuring MSDP keychain authentication, configure a keychain based on the configured keychain-name parameter; otherwise, the TCP connection cannot be set up.
  
  MSDP MD5 authentication and MSDP keychain authentication cannot be both configured on the same device.
  
  The encryption algorithm used for MD5 authentication poses security risks. Therefore, you are advised to use an authentication mode based on a more secure encryption algorithm.
TCP-AO authentication
1. Run the system-view command to enter the system view.
2. Run the msdp [ vpn-instance vpn-instance-name ] command to enter the MSDP view.
3. Run the peer peer-address tcp-ao tcpAoName command to configure TCP-AO authentication.
  The tcp ao command must be run to configure a TCP-AO name before you configure MSDP TCP-AO authentication; otherwise, no TCP connection can be set up. TCP-AO authentication must be configured at both ends of MSDP peers and the encryption algorithms and passwords configured for TCP-AO on both peers must be the same; otherwise, no TCP connection can be set up between the MSDP peers and MSDP messages cannot be exchanged.
  
  TCP-AO, MD5, and keychain authentication modes are mutually exclusive.
Configure source address-based IGMP Report or Leave message filtering
1. Run system-view
  The system view is displayed.
2. Configure a basic numbered ACL or a naming ACL as needed.
  - Configure a basic numbered ACL.
    1. Run acl [ number ] basic-acl-number [ match-order { auto | config } ]
      A basic numbered ACL is created, and the basic numbered ACL view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } source { source-ip-address { source-wildcard | 0 } | any }
      Rules are configured for the basic numbered ACL.
  - Configure a naming ACL.
    1. Run acl name acl-name basic [ match-order { auto | config } ]
      A naming ACL is created, and the naming ACL view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } source { source-ip-address { source-wildcard | 0 } | any }
      Rules are configured for the naming ACL.
3. Run quit
  Return to the system view.
4. Run interface interface-type interface-number
  The interface view is displayed.
5. Run igmp ip-source-policy [ basic-acl-number | acl-name acl-name ]
  Source address-based IGMP Report or Leave message filtering is configured.
  - If an ACL is not configured in this command, the device permits an IGMP Report or Leave message if the message's source address is 0.0.0.0 or if the message's source address is on the same network segment as the address of the interface that receives the message, but discards the message if the message's source address is on a different network segment from the address of the interface that receives the message.
  - If an ACL is configured on an interface, the interface uses configured ACL rules to filter source addresses in IGMP Report or Leave messages.
    If an IGMP Report or Leave message matches an ACL rule and the action is permit, the interface permits this message.
    If an IGMP Report or Leave message matches an ACL rule and the action is deny, the interface denies this message.
    If an IGMP Report or Leave message does not match any ACL rule, the interface denies this message.
    If a specified ACL does not exist or does not contain rules, the interface denies all IGMP Report and Leave messages.
6. Run commit
  The configuration is committed.
Configure source address-based IGMP Query message filtering
1. Run system-view
  The system view is displayed.
2. Configure a basic numbered ACL or a naming ACL as needed.
  - Configure a basic numbered ACL.
    1. Run acl [ number ] basic-acl-number [ match-order { auto | config } ]
      A basic numbered ACL is created, and the basic numbered ACL view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } source { source-ip-address { source-wildcard | 0 } | any }
      Rules are configured for the basic numbered ACL.
  - Configure a naming ACL.
    1. Run acl name acl-name basic [ match-order { auto | config } ]
      A naming ACL is created, and the naming ACL view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } source { source-ip-address { source-wildcard | 0 } | any }
      Rules are configured for the naming ACL.
3. Run quit
  Return to the system view.
4. Run interface interface-type interface-number
  The interface view is displayed.
5. Run igmp query ip-source-policy { basic-acl-number | acl-name acl-name }
  Source address-based IGMP Query message filtering is configured to control querier election.
  - If an IGMP Query message matches an ACL rule and the action is permit, the interface permits this message.
  - If an IGMP Query message matches an ACL rule and the action is deny, the interface denies this message.
  - If an IGMP Query message does not match any ACL rule, the interface denies this message.
  - If a specified ACL does not exist or does not contain rules, the interface denies all IGMP Query messages.
6. Run commit
  The configuration is committed.
Configure source address-based MLD Report or Done message filtering.
1. Run system-view
  The system view is displayed.
2. Configure a basic numbered ACL6 or a naming ACL6 as needed.
  - Configure a basic numbered ACL6.
    1. Run acl ipv6 [ number ] basic-acl6-number [ match-order { auto | config } ]
      A basic numbered ACL6 is created, and the basic numbered ACL6 view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } ] ^*
      Rules are configured for the basic numbered ACL6.
  - Configure a naming ACL6.
    1. Run acl ipv6 name acl6-name basic [ match-order { auto | config } ]
      A naming ACL6 is created, and the naming ACL6 view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } ] ^*
      Rules are configured for the naming ACL6.
3. Run quit
  Return to the system view.
4. Run interface interface-type interface-number
  The interface view is displayed.
5. Run mld ip-source-policy { basic-acl6-number | acl6-name acl6-name }
  Source address-based MLD Report or Done message filtering is configured.
  - If an MLD Report or Leave message matches an ACL rule and the action is permit, the interface permits this message.
  - If an MLD Report or Leave message matches an ACL rule and the action is deny, the interface denies this message.
  - If an MLD Report or Leave message does not match any ACL rule, the interface denies this message.
  - If a specified ACL does not exist or does not contain rules, the interface denies all MLD Report and Leave messages.
6. Run commit
  The configuration is committed.
Configure source address-based MLD Query message filtering.
1. Run system-view
  The system view is displayed.
2. Configure a basic numbered ACL6 or a naming ACL6 as needed.
  - Configure a basic numbered ACL6.
    1. Run acl ipv6 [ number ] basic-acl6-number [ match-order { auto | config } ]
      A basic numbered ACL6 is created, and the basic numbered ACL6 view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } ] ^*
      Rules are configured for the basic numbered ACL6.
  - Configure a naming ACL6.
    1. Run acl ipv6 name acl6-name basic [ match-order { auto | config } ]
      A naming ACL6 is created, and the naming ACL6 view is displayed.
    2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } ] ^*
      Rules are configured for the naming ACL6.
3. Run quit
  Return to the system view.
4. Run interface interface-type interface-number
  The interface view is displayed.
5. Run mld query ip-source-policy { basic-acl6-number | acl6-name acl6-name }
  Source address-based MLD Query message filtering is configured to control querier election.
  - If an MLD Query message matches an ACL rule and the action is permit, the interface permits this message.
  - If an MLD Query message matches an ACL rule and the action is deny, the interface denies this message.
  - If an MLD Query message does not match any ACL rule, the interface denies this message.
  - If a specified ACL does not exist or does not contain rules, the interface denies all MLD Query messages.
6. Run commit
  The configuration is committed.
Configure IGMP IPsec in the IGMP view.
- Configure IPsec authentication for IGMP messages.
1. Run system-view
  The system view is displayed.
2. Run igmp [ vpn-instance vpn-instance-name ]
  The IGMP view is displayed.
3. Run ipsec sa sa-name
  IGMP IPsec is configured globally, enabling the device to authenticate the sent and received IGMP messages based on the specified SA.
4. Run commit
  The configuration is committed.
- Configure IPsec authentication for IGMP Query messages.
1. Run system-view
  The system view is displayed.
2. Run igmp [ vpn-instance vpn-instance-name ]
  The IGMP view is displayed.
3. Run query ipsec sa sa-name
  IGMP IPsec is configured globally, enabling the device to authenticate the sent and received IGMP Query messages based on the specified SA.
4. Run commit
  The configuration is committed.
If the ipsec sa and query ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
Configure IGMP IPsec in the interface view.
- Configure IPsec authentication for IGMP messages.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run igmp ipsec sa sa-name
  IGMP IPsec is configured on an interface, enabling the interface to authenticate the sent and received IGMP messages based on the specified SA.
4. Run commit
  The configuration is committed.
- Configure IPsec authentication for IGMP Query messages.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run igmp query ipsec sa sa-name
  IGMP IPsec is configured on an interface, enabling the interface to authenticate the sent and received IGMP Query messages based on the specified SA.
4. Run commit
  The configuration is committed.
If the igmp ipsec sa and igmp query ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
Configure MLD IPsec in the MLD view.
- Configure IPsec authentication for MLD messages.
1. Run system-view
  The system view is displayed.
2. Run mld
  The MLD view is displayed.
3. Run ipsec sa sa-name
  MLD IPsec is configured globally, enabling the device to authenticate the sent and received MLD messages based on the specified SA policy.
4. Run commit
  The configuration is committed.
- Configure IPsec authentication for MLD Query messages.
1. Run system-view
  The system view is displayed.
2. Run mld
  The MLD view is displayed.
3. Run query ipsec sa sa-name
  MLD IPsec is configured globally, enabling the device to authenticate the sent and received MLD Query messages based on the specified SA policy.
4. Run commit
  The configuration is committed.
If the ipsec sa and query ipsec sa commands are both configured, the command configured later overrides the command configured earlier.
Configure MLD IPsec in the interface view.
- Configure IPsec authentication for MLD messages.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run mld ipsec sa sa-name
  MLD IPsec is configured on an interface, enabling the interface to authenticate the sent and received MLD messages based on the specified SA policy.
4. Run commit
  The configuration is committed.
- Configure IPsec authentication for MLD Query messages.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run mld query ipsec sa sa-name
  MLD IPsec is configured on an interface, enabling the interface to authenticate the sent and received MLD Query messages based on the specified SA policy.
4. Run commit
  The configuration is committed.
If the mld ipsec sa and mld query ipsec sa commands are both configured, the command configured later overrides the command configured earlier.

Configuration and Maintenance Suggestions

None