No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


  • RSVP

    Digests of RSVP messages are verified to protect them from being tampered with and forgery attacks, enhancing network reliability and security.

  • LDP MD5 authentication

    MD5 is a digest algorithm defined in relevant standards. MD5 is typically used to prevent message spoofing. An MD5 message digest is a unique result generated using an irreversible character string conversion. If a message is modified during transmission, a different digest is generated. After the message arrives at the receive end, the receive end can detect the modification after comparing the received digest with a pre-computed digest.

    LDP MD5 authentication prevents LDP packets from being modified by generating unique summary information for the same information segment. It is stricter than the common TCP connection check.

    LDP MD5 authentication is performed before LDP messages are sent over TCP. A unique message digest is added following the TCP header in a message. The message digest is generated using the MD5 algorithm based on the TCP header, LDP message, and user-defined password.

    When receiving the message, the receive end obtains the TCP header, message digest, and LDP message. It generates the message digest based on the obtained information and the locally saved password. Then, it compares the generated message digest with the message digest carried in the LDP message. If they are different, the receive end interprets the LDP message as having been tampered with.

    A password can be set either in ciphertext or simple text. If the password is set in simple text, the password set by users is directly recorded in the configuration file. If the password is set in ciphertext, the password is encrypted using a special algorithm and then recorded in the configuration file.

    Characters set by users are used in digest calculation, regardless of whether the password is set in simple text or ciphertext. Encrypted passwords are not used in digest calculations. Encryption/decryption algorithms are proprietary to vendors.

  • LDP keychain authentication

    Keychain, an enhanced encryption algorithm similar to MD5, calculates a message digest for an LDP message to prevent the message from being modified.

    During keychain authentication, a group of passwords is defined to form a password string, and each password is assigned an encryption and decryption algorithm, such as MD5 algorithm and SHA-1, and an expiration period. When sending or receiving a packet, the system selects a valid password based on the user's configuration. Then, within the expiration period of the password, the system starts the encryption algorithm matching the password to encrypt the packet before sending it out, or starts the encryption algorithm matching the password to decrypt the packet before accepting it. In addition, the system can automatically use a new password after the previous password expires, preventing the password from being decrypted.

    The keychain authentication password, the encryption and decryption algorithms, and the expiration period of the password can be configured separately on a keychain configuration node. A keychain configuration node has the following minimum requirements: one password, an encryption algorithm, and a decryption algorithm.

    To reference a keychain configuration node, specify a peer IP address and a node name in the MPLS-LDP view. The keychain configuration node is then used to encrypt an LDP session. Multiple peers can reference the same keychain configuration node.

    • LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain or MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1. Keychain authentication takes effect on other peers.

      You can configure either LDP MD5 authentication or LDP keychain authentication in a specific scenario:

      • The MD5 algorithm is easy to configure and generates a single password which can only be changed manually. MD5 authentication applies to networks requiring short-period encryption.

      • Keychain authentication involves a set of passwords and uses a new password each time the previous one expires. Keychain authentication is complex to configure and applies to networks requiring high security.


    LDP GTSM is the application of GTSM in LDP.

    GTSM determines whether a packet is valid by checking its TTL. This protects devices from attacks. GTSM for LDP involves applying GTSM to LDP messages between adjacent devices or devices close to each other (based on the number of next hops). A TTL value range is then set. The LDP messages with TTLs not within the specified value range are interpreted as attack packets and discarded.

  • LDP whitelist

    The interaction module at the application layer detects uplink packets and grants high bandwidth for transmitting packets matching the whitelist.

Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7989

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next