This command specifies the password argument as the MD5 password for LDP sessions with neighbors whose LDP router IDs are permitted by an access list specified in the acl argument. This password is used if a password is not specified by the mpls ldp password option command.
When a configuration includes multiple mpls ldp password option commands, the number argument defines the order in which the command access lists are evaluated.
A configuration for a VRF can include zero, one, or multiple mpls ldp password option commands.
You can specify the passwords as unencrypted text (type 0) or in encrypted format (type 7). If you configure a type 7 password, the password is saved in encrypted form. If you configure a type 0 password, the password can be saved in unencrypted form or encrypted form, depending on the status of the service password-encryption command:
If the service password-encryption command is enabled, the type 0 password is converted and saved in encrypted form.
When you enter a show running-config command, if the service password-encryption command is enabled, a password saved in unencrypted form is converted into encrypted form, and is then displayed and saved in encrypted form.
If the service password-encryptioncommand is disabled, the type 0 password is saved in unencrypted form.
The MD5 password and the generated key chain key are limited to 25 characters. If he password and key are more than 25 characters, the encryption is performed only on the first 25 characters and the remaining characters are truncated.
The following is an example of the message displayed when the MD5 password exceeds 25 characters:
Router(config)# mpls ldp password option 7 for acl1 password123456789123456789123456789
% Unencrypted password has been truncated to 25 characters.
The following is an example of the message displayed when you configure the service password-encryption key-chain keyword to generate a password:
Router(config)# mpls ldp password option 0 for acl1 key-chain MyKeyChain
The key chain “MyKeyChain” consists of a series of keys, each with an acceptance interval:
key 1 -- text "first_key"
accept lifetime (00:00:00 GMT Jan 1 2010) - (18:58:00 GMT Dec 8 2010)
send lifetime (00:00:00 GMT Jan 1 2010) - (18:56:00 GMT Dec 8 2010)
key 10 -- text "10_key_ten_begin"
accept lifetime (18:52:00 GMT Dec 8 2010) - (960 seconds)
send lifetime (18:55:00 GMT Dec 8 2010) - (600 seconds)
key 20 -- text "20_key_20_20_20_20_20_20_20_20_20_20_20_20_20_"
accept lifetime (19:02:00 GMT Dec 8 2010) - (960 seconds)
send lifetime (19:05:00 GMT Dec 8 2010) - (600 seconds)
key 30 -- text "30_key_30_30_30_30_30_30_30_30_30_30_30_30_30_"
accept lifetime (19:12:00 GMT Dec 8 2010) - (960 seconds)
send lifetime (19:15:00 GMT Dec 8 2010) - (600 seconds)
key 40 -- text "key_forty_endgame"
accept lifetime (19:12:00 GMT Dec 8 2010) - (infinite) [valid now]
send lifetime (19:15:00 GMT Dec 8 2010) - (infinite) [valid now]
A [valid now] key is selected as the current MD5 password. If the selected key exceeds 25 characters, only the first 25 characters are used for the MD5 password. When you configure the mpls ldp password option command with the key-chain keyword, a notification is displayed to remind you that the MD5 password used may be shorter than the key string:
% Only first 25 characters of key chain keys can be used for MD5 encryption
This notification is displayed every 15 minutes. If it has been less than 15 minutes since you last entered the mpls ldp password option command with the keyword, this notification is not displayed.
Whenever LDP truncates a key from a key chain for the encrypted LDP session, a notice message of the following format is also logged:
%LDP-5-PWDKEYTRUNC: MD5 digest uses 25 chars of longer transmit/receive key(s) for peer <Routerid>
The following is an example of a log created when a key chain key exceeds 25 characters:
*Dec 17 02:45:31.831: %LDP-5-PWDKEYTRUNC: MD5 digest uses 25 chars of longer transmit/receive key(s) for peer 126.96.36.199