Configuring LDP Keychain Authentication

LDP keychain authentication can be configured to improve the security of a connection over which an LDP session is established. LDP authentication is configured on LSRs at both ends of an LDP session.

Context

To help improve LDP session security, keychain authentication can be configured for a TCP connection over which an LDP session has been established.

During keychain authentication, a group of passwords are defined in the format of a password string, and each password is associated with a specified encryption and decryption algorithm, such as MD5 or secure hash algorithm-1 (SHA-1), and takes effect within a validity period. The system selects a valid password before sending or receiving a packet. Within the validity period of the password, the system uses the encryption algorithm matching the password to encrypt the packet before sending it. It also uses the decryption algorithm matching the password to decrypt the packet before accepting the packet. In addition, the system automatically uses a new password after the previous password expires, which minimizes password decryption risks.

You can configure either LDP MD5 authentication or LDP keychain authentication:

The MD5 algorithm is easy to configure and generates a single password which can only be changed manually. MD5 authentication applies to networks requiring short-period encryption.
Keychain authentication involves a set of passwords and uses a new password each time the previous one expires. Keychain authentication is complex to configure and applies to networks requiring high security.

LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain or MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1. Keychain authentication takes effect on other peers.

The encryption algorithm MD5 has a low security, which may bring security risks. Using more secure authentication is recommended.

Before configuring LDP keychain authentication, configure keychain globally. For configuration details, see HUAWEI NetEngine 8000 F SeriesRouter Configuration Guide - Security.

Procedure

Configure LDP keychain authentication for a specified LDP peer.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run authentication key-chain peer peer-id name keychain-name
  LDP keychain is enabled and a keychain name is specified.
  
  Configuring LDP keychain authentication leads to reestablishment of an LDP session and deletes the LSP associated with the LDP session.
4. Run commit
  The configurations are committed.
Configure LDP keychain authentication for LDP peers in a specified LDP peer group.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run authentication key-chain peer-group ip-prefix-name name keychain-name
  LDP keychain is enabled and a keychain name is specified for a specified LDP peer group.
  
  An IP prefix list can be specified using ip-prefix-name to define the range of IP addresses in a group. Before using an IP prefix list, ensure that the IP prefix list must have been created.
4. (Optional) Run authentication exclude peer peer-id
  The device is disabled from authenticating a specified LDP peer.
5. Run commit
  The configurations are committed.
Configure LDP keychain authentication for all LDP peers.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run authentication key-chain all name keychain-name
  LDP keychain is enabled and a keychain name is specified for all LDP peers.
4. (Optional) Run authentication exclude peer peer-id
  The device is disabled from authenticating a specified LDP peer.
5. Run commit
  The configurations are committed.