No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE40E V800R010C00 Configuration Guide - MPLS 01

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring LDP Security Features

Configuring LDP Security Features

LDP security features, such as MD5 authentication, keychain authentication, and the generalized TTL security mechanism (GTSM) can be configured to meet high network security requirements. Otherwise, the system may be insecure. By default, no LDP security features are configured.

Usage Scenario

The following LDP security features can be configured to meet network security requirements:
  • LDP MD5 authentication

    A typical MD5 application is to calculate a message digest to prevent message spoofing. The MD5 message digest is a unique result calculated using an irreversible character string conversion. If a message is modified during transmission, a different digest is generated. After the message arrives at the receiving end, the receiving end can detect the modification after comparing the received digest with a pre-computed digest.

    MD5 authentication can be performed in either simple text or ciphertext mode. During MD5 authentication configuration, two peers of an LDP session are assigned different authentication modes and the same password.

  • LDP keychain authentication

    Keychain, an enhanced encryption algorithm similar to MD5, calculates a message digest for an LDP message to prevent the message from being modified.

    During keychain authentication, a group of passwords are defined in the format of a password string, and each password is associated with a specified encryption and decryption algorithm, such as MD5 or secure hash algorithm-1 (SHA-1), and takes effect within a validity period. The system selects a valid password before sending or receiving a packet. Within the validity period of the password, the system uses the encryption algorithm matching the password to encrypt the packet before sending it. The system also uses the decryption algorithm matching the password to decrypt the packet before accepting the packet. In addition, the system automatically uses a new password after the previous password expires, which minimizes password decryption risks.

    Before configuring LDP keychain authentication, configure keychain authentication globally. If LDP keychain authentication is configured before global keychain authentication is configured, the LDP session will be disconnected.


    The GTSM checks TTL values to defend against attacks. An attacker simulates unicast LDP messages and sends them to nodes. After receiving these messages, an interface board on a node finds that the messages are destined for itself. It directly sends them to the LDP module on the control plane without verifying them. As a result, the node is busy in processing these forged messages on the control plane, leading to high CPU usage.

    To address this problem, the GTSM can be configured to check whether or not the TTL value in the IP header is within a specified range. It protects the nodes from attacks and improves system security.

Pre-configuration Tasks

Before configuring LDP security features, complete the following tasks:

  • Enable MPLS and MPLS LDP.

  • (Optional) Configure global keychain authentication.

Updated: 2018-07-12

Document ID: EDOC1100028530

Views: 102406

Downloads: 336

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next