peer keychain
Use peer keychain to enable keychain authentication for a BGP peer or peer group.
Use undo peer keychain to remove keychain authentication for a BGP peer or peer group.
Syntax
peer { group-name | ip-address [ mask-length ] | ipv6-address [ prefix-length ] } keychain keychain-name
undo peer { group-name | ip-address [ mask-length ] | ipv6-address [ prefix-length ] } keychain
Default
Keychain authentication is disabled.
Views
BGP instance view
BGP-VPN instance view
Predefined user roles
network-admin
Parameters
group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The peer group must have been created.
ip-address: Specifies a peer by its IPv4 address. The peer must have been created.
mask-length: Specifies a mask length in the range of 0 to 32. You can use the ip-address and mask-length arguments together to specify a subnet. If you specify a subnet, this command enables keychain authentication for all dynamic peers in the subnet.
ipv6-address: Specifies a peer by its IPv6 address. The peer must have been created.
prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and prefix-length arguments together to specify a subnet. If you specify a subnet, this command enables keychain authentication for all dynamic peers in the subnet.
keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters. The keychain must have been created.
Usage guidelines
Keychain authentication enhances the security of TCP connection establishment between BGP peers. It allows BGP peers to establish TCP connections only when the following conditions are met:
Keychain authentication is enabled on both BGP peers.
The keys used by the BGP peers have the same authentication algorithm and key string.
BGP supports the HMAC-SHA-256 and MD5 authentication algorithms. To specify an authentication algorithm for a key, use the authentication-algorithm command.
The ID of keys used for authentication can only be in the range of 0 to 63. To create a key, use the key command.
The peer keychain and peer password commands are mutually exclusive.
Examples
# In BGP instance view, configure peer 10.1.1.1 to use keychain abc for authentication.
<Sysname> system-view [Sysname] bgp 100 [Sysname-bgp-default] peer 10.1.1.1 as-number 100 [Sysname-bgp-default] peer 10.1.1.1 keychain abc
Related commands
authentication-algorithm (Security Command Reference)
key (Security Command Reference)