MPLS provides three security mechanisms to ensure the security of LDP packets: LDP message digest algorithm 5 (MD5), LDP Keychain authentication, and LDP Generalized TTL Security Mechanism (GTSM).
LDP Keychain is more secure than LDP MD5 authentication, and only one of these mechanisms is used for an LDP peer. LDP GTSM protects devices against attacks of invalid LDP packets and can be used with LDP MD5 authentication or LDP Keychain.
MD5 authentication is a standard digest algorithm defined in RFC 1321. MD5 calculates message digests to prevent message spoofing. MD5 message digests are unique results calculated by irreversible character string conversions. If messages are modified during transmission, different digests are generated. After messages arrive at receivers, receivers determine whether these messages have been modified by comparing received digests with pre-calculated digests.
MD5 generates unique digests for information segments to prevent LDP packets from being modified. This authentication method is stricter than the common checksum verification of TCP.
MD5 authentication is as follows:
Before an LDP session message is sent over a TCP connection, the sender pads the TCP header with a unique digest. The digest is calculated using the MD5 algorithm based on the TCP header, LDP session message, and configured password.
Upon receiving the TCP packet, the receiver obtains the TCP header, digest, and LDP session message, and uses MD5 to calculate a digest based on the received TCP header, LDP session message, and locally stored password. The receiver compares the calculated digest with the received one to check whether the packet has been modified.
Passwords are set in either cipher text or plain text. Plain-text passwords are saved directly in configuration files. Cipher-text passwords are saved in configuration files after being encrypted using special algorithms. Character strings, entered by users are, however, used to calculate digests, regardless of whether passwords are set in plain text or cipher text. Cipher-text passwords, in particular, do not participate in MD5 calculation. As devices from different vendors use proprietary password encryption algorithms, LDP MD5 authentication shields differences of password encryption algorithms used on different devices.
Compared with LDP MD5, LDP Keychain is an enhanced encryption algorithm that calculates message digests for the same LDP messages to prevent messages from being modified.
LDP Keychain allows users to define password groups as password strings. Encryption/Decryption algorithms and validity periods are defined for passwords. Devices select valid passwords based on configurations, encrypt packets before sending them, and decrypt packets upon receiving using encryption or decryption algorithms, (such as MD5 and SHA-1) matching selected passwords. In addition, devices use new passwords after previous passwords expire, minimizing risks of cracking passwords.
Keychain authentication passwords, encryption and decryption algorithms, and password validity periods are configured independently. Keychain configuration nodes require at least one password as well as encryption and decryption algorithms.
GTSM protects services by checking whether time-to-live (TTL) values in IP headers are within pre-defined ranges. The prerequisites for using GTSM include:
The TTL of normal packets between devices is determined.
Changing TTL values is difficult.
LDP GTSM refers to implementing GTSM over LDP.
To protect devices against attacks, GTSM verifies TTL in packets. LDP GTSM is applied to LDP packets between neighbors or adjacent devices (based on a fixed number of hops). TTL ranges are preset on devices for packets from other devices. With LDP GTSM enabled, if LDP packet TTLs received by LDP-enabled devices are out of TTL ranges, packets are considered invalid and are discarded. LDP GTSM protects upper-layer protocols.