Configuring LDP MD5 Authentication
Context
MD5 authentication can be configured for a TCP connection over which an LDP session is established, improving security. Note that the peers of an LDP session can be configured with different encryption modes, but must be configured with a single password.
The MD5 algorithm is easy to configure and generates a single password which can be changed only manually. MD5 authentication applies to the network requiring short-period encryption.
Keychain authentication and MD5 authentication cannot be both configured on a single LDP peer. Note that MD5 encryption algorithm cannot ensure security. Keychain authentication is recommended.
Configuring LDP MD5 authentication may cause LDP session reestablishment, deletion of the LSP associated with the deleted LDP session, and MPLS service interruption.
LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain or MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1. Keychain authentication takes effect on other peers.
Procedure
- Run system-view
The system view is displayed.
- Run mpls ldp
The MPLS-LDP view is displayed.
- Configure LDP MD5 authentication
Configure LDP MD5 authentication for a single LDP peer.
Run md5-password { plain | cipher } peer-lsr-id password
MD5 authentication is configured and a password is set.
By default, LDP MD5 authentication is not performed between LDP peers.
The password can be set in either simple text or ciphertext. A simple password is a pre-configured character string that is recorded in a configuration file as it is. A ciphertext password is a character string that is encrypted using a specified algorithm before being recorded in a configuration file.
If you configure a simple password, it will be saved in the configuration file in simple text that has a high security risk. Therefore, configuring a ciphertext password is recommended. To improve the device security, periodically change the password.
Configure LDP MD5 authentication for LDP peers in a specified LDP peer group.
Run md5-password { plain | cipher } peer-group ip-prefix-name password
MD5 authentication is enabled and a password is set for LDP peers in a specified LDP peer group.
An IP prefix list can be specified using ip-prefix-name to define the range of IP addresses in a group. Before using an IP prefix list, ensure that the IP prefix list must have been created.
(Optional) Run authentication exclude peer peer-id
The device is disabled from authenticating a specified LDP peer.
By default, after LDP MD5 authentication is enabled for a specified LDP peer group, MD5 authentication takes effect on all LDP peers in the group. To disable the device from authenticating a specified LDP peer in the group, perform this step.
Configure LDP MD5 authentication for all LDP peers.
Run md5-password { plain | cipher } all password
MD5 authentication is enabled and a password is set for all LDP peers.
(Optional) Run authentication exclude peer peer-id
The device is disabled from authenticating a specified LDP peer.
By default, after LDP MD5 authentication is enabled for all LDP peers, MD5 authentication takes effect on all LDP peers. To disable the device from authenticating a specified LDP peer, perform this step.
- Run commit
The configuration is committed.