Configuring LDP Security Mechanisms
Pre-configuration Tasks
LDP security mechanisms such as LDP MD5 authentication, LDP Keychain authentication, and LDP GTSM can be configured to meet high network security requirements.
Before configuring LDP security features, configure basic functions of MPLS LDP. For details, see Configuring Basic Functions of MPLS LDP.
Configuring LDP MD5 Authentication
Context
MD5 authentication can be configured for a TCP connection over which an LDP session is established, improving security. Note that the peers of an LDP session can be configured with different encryption modes, but must be configured with a single password.
The MD5 algorithm is easy to configure and generates a single password which can be changed only manually. MD5 authentication applies to the network requiring short-period encryption.
Keychain authentication and MD5 authentication cannot be both configured on a single LDP peer. Note that MD5 encryption algorithm cannot ensure security. Keychain authentication is recommended.
Configuring LDP MD5 authentication may causes LDP session reestablishment, deletion of the LSP associated with the deleted LDP session, and MPLS service interruption.
Procedure
- Run system-view
The system view is displayed.
- Run mpls ldp
The MPLS-LDP view is displayed.
- Run md5-password { plain | cipher } peer-lsr-id password
MD5 authentication is configured and a password is set.
By default, LDP MD5 authentication is not performed between LDP peers.
If plain is selected, the password is saved in the configuration file in plain text. In this case, users at a lower level can easily obtain the password by viewing the configuration file. This brings security risks. Therefore, it is recommended that you select cipher to save the password in cipher text.
Configuring LDP Keychain Authentication
Context
To help improve LDP session security, Keychain authentication can be configured for a TCP connection over which an LDP session has been established.
Keychain authentication involves a set of passwords and uses a new password when the previous one expires. Keychain authentication is complex to configure and applies to a network requiring high security.
You cannot configure Keychain authentication and MD5 authentication for a neighbor at the same time.
Before configuring LDP Keychain authentication, configure keychain globally. For details about the keychain configuration, see the Keychain Configuration in Huawei AR Series Access Routers Configuration Guide - Security.
Configuring LDP Keychain authentication may causes LDP session reestablishment, deletion of the LSP associated with the deleted LDP session, and MPLS service interruption.
Procedure
- Run system-view
The system view is displayed.
- Run mpls ldp
The MPLS-LDP view is displayed.
- Run authentication key-chain peer peer-id name keychain-name
LDP Keychain authentication is enabled and a keychain name is specified.
By default, LDP Keychain authentication is not performed between LDP peers.
Configuring the LDP GTSM
Context
To protect device from attacks, Generalized TTL Security Mechanism (GTSM) checks the TTL value of a packet to check whether the packet is valid. To check the TTL value of an LDP packet exchanged between LDP peers, enable GTSM on LDP peers and set the TTL range. If the TLL of an LDP packet is out of the TTL range, the LDP packet is considered as an invalid attack packet and discarded. This prevents the CPU from processing a large number of forged LDP packets. In this way, the upper layer protocols are protected.
Procedure
- Run system-view
The system view is displayed.
- Run mpls ldp
The MPLS-LDP view is displayed.
- Run gtsm peer ip-address valid-ttl-hops hops
The LDP GTSM is configured.
By default, no LDP peer is configured with the GTSM.
hops is the maximum number of valid hops permitted by the GTSM. If a TTL value carried in a received packet is in a specified range of [255 - hops + 1, 255], the packet is accepted; if the TTL value is out of the range, the packet is discarded.