peer keychain

Use peer keychain to enable keychain authentication for a BGP peer or peer group.

Use undo peer keychain to remove keychain authentication for a BGP peer or peer group.

Syntax

peer { group-name | ip-address [ mask-length ] | ipv6-address [ prefix-length ] } keychain keychain-name

undo peer { group-name | ip-address [ mask-length ] | ipv6-address [ prefix-length ] } keychain

Default

Keychain authentication is disabled.

Views

BGP instance view

BGP-VPN instance view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The peer group must have been created.

ip-address: Specifies a peer by its IPv4 address. The peer must have been created.

mask-length: Specifies a mask length in the range of 0 to 32. You can use the ip-address and mask-length arguments together to specify a subnet. If you specify a subnet, this command enables keychain authentication for all dynamic peers in the subnet.

ipv6-address: Specifies a peer by its IPv6 address. The peer must have been created.

prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and prefix-length arguments together to specify a subnet. If you specify a subnet, this command enables keychain authentication for all dynamic peers in the subnet.

keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters. The keychain must have been created.

Usage guidelines

Keychain authentication enhances the security of TCP connection establishment between BGP peers. It allows BGP peers to establish TCP connections only when the following conditions are met:

BGP supports the HMAC-SHA-256 and MD5 authentication algorithms. To specify an authentication algorithm for a key, use the authentication-algorithm command.

The ID of keys used for authentication can only be in the range of 0 to 63. To create a key, use the key command.

The peer keychain and peer password commands are mutually exclusive.

Examples

# In BGP instance view, configure peer 10.1.1.1 to use keychain abc for authentication.

<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] peer 10.1.1.1 as-number 100
[Sysname-bgp-default] peer 10.1.1.1 keychain abc

Related commands

authentication-algorithm (Security Command Reference)

key (Security Command Reference)