The authentication key-chain peer-group command enables keychain authentication in a batch for a specified LDP peer group.
The undo authentication key-chain peer-group command disables keychain authentication in a batch for a specified LDP peer group.
By default, keychain authentication in a batch is disabled for all peer groups. LDP keychain authentication is recommended to ensure security.
authentication key-chain peer-group ip-prefix-name name keychain-name
undo authentication key-chain peer-group
| Parameter | Description | Value |
|---|---|---|
ip-prefix-name |
Specifies the name of an IP prefix list. The IP prefix list name is configured using the ip ip-prefix command. |
The value is a string of 1 to 169 case-sensitive characters, spaces not supported. The string can contain spaces if it is enclosed with double quotation marks ("). |
name keychain-name |
Specifies a keychain name. The keychain name is configured using the keychain command. |
The value is a string of 1 to 47 case-insensitive characters. The string does not contain question marks or spaces. The string can contain spaces if it is enclosed with double quotation marks ("). |
Usage Scenario
To help improve LDP session security, keychain authentication can be configured for a TCP connection over which an LDP session has been established. If a great number of LDP peers are configured, run the authentication key-chain peer-group command to enable keychain authentication in a batch for LDP peers in a specified peer group. An IP prefix list can be specified to define the range of IP addresses in a group.
Prerequisites
The following steps have been performed:
An IP prefix list has been configured using the ip ip-prefix command.
A keychain has been configured using the keychain command.
Configuration Impact
After the authentication key-chain peer-group command is run, the referenced Keychain authentication is applied to a specified peer. If keychain authentication fails, an LDP session fails to be established.
Precautions
LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain authentication and MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1.
Before a peer group is referenced, create it. By default, a nonexistent peer group cannot be specified in this command. If the route-policy nonexistent-config-check disable command is run in the system view and a nonexistent peer group is specified in this command, a local device performs keychain authentication for each LDP session connected to each LDP peer.
# Enable LDP keychain authentication for LDP peers with IP addresses matching the IP prefix list named list1 in a specified peer group and use a keychain named kc1.
<sysname> system-view [sysname] keychain kc1 mode absolute [sysname-keychain-kc1] key-id 1 [sysname-keychain-kc1-keyid-1] algorithm md5 [sysname-keychain-kc1-keyid-1] key-string abcDEF-13579 [sysname-keychain-kc1-keyid-1] send-time 14:30 2008-10-10 to 14:50 2008-10-10 [sysname-keychain-kc1-keyid-1] receive-time 14:40 2008-10-10 to 14:50 2008-10-10 [sysname-keychain-kc1-keyid-1] default send-key-id [sysname-keychain-kc1-keyid-1] quit [sysname-keychain-kc1] quit [sysname] ip ip-prefix list1 permit 4.4.4.4 32 [sysname] mpls ldp [sysname-mpls-ldp] authentication key-chain peer-group list1 name kc1