Configuring LDP Keychain Authentication

To help improve LDP session security, keychain authentication can be configured for a TCP connection over which an LDP session has been established.

During keychain authentication, a group of passwords are defined in the format of a password string, and each password is assigned a specified encryption and decryption algorithm such as MD5 or secure hash algorithm-1 (SHA-1) and configured with a validity period. When sending or receiving a packet, the system selects a valid password. Within the validity period of the password, the system uses the encryption algorithm matching the password to encrypt the packet before sending it out, or uses the decryption algorithm matching the password to decrypt the packet before accepting it. In addition, the system automatically uses a new password after the previous password expires, minimizing password decryption risks.

You can configure either LDP MD5 authentication or LDP keychain authentication based on their separate characteristics:

• The MD5 algorithm is easy to configure and generates a single password which can be changed only manually. MD5 authentication applies to the network requiring short-period encryption.
• Keychain authentication involves a set of passwords and uses a new password when the previous one expires. Keychain authentication is complex to configure and applies to a network requiring high security.

Keychain authentication and MD5 authentication cannot be both configured on a single LDP peer.