Configuring LDP Security Features

LDP security features, such as MD5 authentication, keychain authentication, and the generalized TTL security mechanism (GTSM), can be configured to meet high network security requirements. By default, no LDP security features are configured. You are advised to configure security features as required to ensure system security.

Usage Scenario

The following LDP security features can be configured to meet network security requirements:

  • LDP MD5 authentication

    A typical MD5 application is to calculate a message digest to prevent message spoofing. The MD5 message digest is a unique result calculated using an irreversible character string conversion. If a message is modified during transmission, a different digest is generated. After the message arrives at the receiving end, the receiving end can detect the modification after comparing the received digest with a pre-computed digest.

    When configuring MD5 authentication, you can configure different authentication modes (cleartext or ciphertext) for the two peers of an LDP session. The passwords on the two peers, however, must be the same.

    As MD5 is insecure, you are advised to use a more secure authentication mode.

  • LDP keychain authentication

    Keychain, an enhanced encryption algorithm similar to MD5, calculates a message digest for an LDP message to prevent the message from being modified.

    Keychain allows users to define a group of passwords to form a password string. Each password is assigned encryption and decryption algorithms, such as MD5 and secure hash algorithm-1 (SHA-1), and a validity period. The system selects a valid password before sending or receiving a packet. Within the validity period of the password, the system uses the encryption algorithm matching the password to encrypt the packet before sending it. The system also uses the decryption algorithm matching the password to decrypt the packet before accepting the packet. In addition, the system automatically uses a new password after the previous password expires, which minimizes password decryption risks.

    Before configuring LDP keychain authentication, configure keychain authentication globally. If LDP keychain authentication is configured before global keychain authentication is configured, the LDP session will be disconnected.

  • LDP GTSM

    The GTSM checks TTL values to defend against attacks. An attacker simulates unicast LDP messages and sends them to nodes. After receiving these messages, an interface board on a node finds that the messages are destined for itself. It directly sends them to the LDP module on the control plane without verifying them. As a result, the node is busy in processing these forged messages on the control plane, leading to high CPU usage.

    To address this problem, the GTSM can be configured to check whether the TTL value in the IP header is within a specified range. It protects the nodes from attacks and improves system security.

  • Whitelist session-CAR for LDP

    When the LDP service suffers a traffic burst, bandwidth may be preempted among LDP sessions. To resolve this problem, you can configure whitelist session-CAR for LDP to isolate bandwidth resources by session.

Pre-configuration Tasks

Before configuring LDP security features, complete the following tasks:

  • Enable MPLS and MPLS LDP.

  • (Optional) Configure keychain authentication globally.

Parent Topic: MPLS LDP Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >