The authentication key-chain command enables Label Distribution Protocol (LDP) keychain authentication.
The undo authentication key-chain command restores the default setting.
authentication key-chain peer peer-id name keychain-name
undo authentication key-chain peer peer-id
| Parameter | Description | Value |
|---|---|---|
| peer peer-id | Specifies the ID of an LDP peer enabled with LDP keychain. | Expressed in dotted decimal notation |
| name keychain-name | Specifies the keychain name. The keychain name is specified running the keychain command. | It is a string of 1 to 47 characters. |
By default, LDP keychain authentication is disabled. Enabling LDP keychain authentication is recommended to ensure system security.
Usage Scenario
To enhance the security of an LDP session, you can configure keychain authentication for a TCP connection over which the LDP session has been established.
During keychain authentication, a group of passwords are defined to form a password string, and each password is specified with the encryption and decryption algorithms such as Message-digest algorithm 5 (MD5) and Secure Hash Algorithm-1 (sha-1) algorithms, and is configured with a validity period. When sending or receiving a packet, the system selects a valid password based on the user's configuration. Within the password validity period, the system either uses the encryption algorithm matching the password to encrypt the packet before sending it out or uses the decryption algorithm matching the password to decrypt the packet before accepting it. In addition, the system automatically uses a new password after the previous one expires, preventing the password from being decrypted.
The keychain authentication password, the encryption and decryption algorithms, and the password validity period that construct a keychain configuration node are configured using different commands. A keychain configuration node requires at least one password along with encryption and decryption algorithms.
To reference a keychain configuration node, specify the required peer and the name of the node in the MPLS-LDP view. In this manner, an LDP session is encrypted. Different peers can reference the same keychain configuration node.
Keychain authentication involves a set of passwords. It uses a new password when an old one expires. Keychain authentication is complex to configure and is therefore recommended only on networks requiring high security.
Prerequisite
MPLS LDP has been enabled globally using the mpls ldp command in the system view.
Keychain authentication has been enabled globally using the keychain command.
Precautions
MD5 authentication and keychain authentication cannot be configured together on one peer.
Configuring LDP keychain authentication leads to reestablishment of an LDP session and deletes the label switched path (LSP) associated with the LDP session.