Configuring LDP MD5 Authentication

LDP authentication can be configured to improve the security of a connection over which an LDP session is established. LDP authentication is configured on LSRs at both ends of an LDP session.

Context

MD5 authentication can be configured for a TCP connection over which an LDP session is established to improve security. Authentication modes can be different on two peers of an LDP session, whereas the same password must be configured on both peers of the LDP session.

LDP MD5 authentication generates a unique digest for an information segment to prevent LDP packets from being modified. LDP MD5 authentication is stricter than common checksum verification for TCP connections.

You can configure either LDP MD5 authentication or LDP keychain authentication in a specific scenario:

The MD5 algorithm is easy to configure and generates a single password which can only be changed manually. MD5 authentication applies to networks requiring short-period encryption.
Keychain authentication involves a set of passwords and uses a new password each time the previous one expires. Keychain authentication is complex to configure and applies to networks requiring high security.

LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain or MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1. Keychain authentication takes effect on other peers.

The encryption algorithm MD5 has a low security, which may bring security risks. Using more secure authentication is recommended.

Procedure

Configure LDP MD5 authentication for a single LDP peer.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run md5-password { plain | cipher } peer-lsr-id password
  MD5 authentication is configured and a password is set.
  - The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space.
  - For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.
  The password can be set in either simple text or ciphertext. A simple password is a pre-configured character string that is recorded in a configuration file as it is. A ciphertext password is a character string that is encrypted using a specified algorithm before being recorded in a configuration file.
  - If you configure a simple password, it will be saved in the configuration file in simple text that has a high security risk. Therefore, configuring a ciphertext password is recommended. To improve the device security, periodically change the password.
  - Configuring LDP keychain authentication leads to reestablishment of an LDP session and deletes the LSP associated with the LDP session.
4. Run commit
  The configurations are committed.
Configure LDP MD5 authentication for LDP peers in a specified LDP peer group.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run md5-password { plain | cipher } peer-group ip-prefix-name password
  MD5 authentication is enabled and a password is set for LDP peers in a specified LDP peer group.
  
  An IP prefix list can be specified using ip-prefix-name to define the range of IP addresses in a group. Before using an IP prefix list, ensure that the IP prefix list must have been created.
  - The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space.
  - For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.
4. (Optional) Run authentication exclude peer peer-id
  The device is disabled from authenticating a specified LDP peer.
5. Run commit
  The configurations are committed.
Configure LDP MD5 authentication for all LDP peers.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run md5-password { plain | cipher } all password
  MD5 authentication is enabled and a password is set for all LDP peers.
  - The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space.
  - For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.
4. (Optional) Run authentication exclude peer peer-id
  The device is disabled from authenticating a specified LDP peer.
5. Run commit
  The configurations are committed.