Configuring LDP TCP-AO Authentication

This section describes how to configure LDP TCP-AO authentication to check the integrity of LDP packets and prevent TCP replay attacks.

Context

A TCP-AO is used to authenticate received and to-be sent packets during TCP session establishment and data exchange. It supports packet integrity check to prevent TCP replay attacks. After creating a TCP-AO, specify the peer that needs to reference the TCP-AO and the name of the TCP-AO in the MPLS LDP view. This enables the TCP-AO to be referenced, and the LDP session to be encrypted. You can specify multiple peers to reference the same TCP-AO.

A TCP-AO uses the passwords configured in the bound keychain, and these passwords can be automatically switched based on the configuration. However, the configuration process is complex and applies to networks with high security requirements.

Procedure

Run system-view
The system view is displayed.
Run tcp ao tcpaoname
A TCP-AO is created, and its view is displayed.
Run binding keychain kcName
The TCP-AO is bound to a keychain.

Before performing this step, complete "Configuring Keychain Authentication Globally" in Pre-configuration Tasks to create a keychain.
Run key-id keyId
A key ID is create for the TCP-AO, and the TCP-AO key ID view is displayed.
Run send-id sndId receive-id rcvId
send-id and receive-id are configured for the Key ID.
Run quit
The upper-level view is displayed.
Run quit
Return to the system view.
Run mpls ldp
The MPLS-LDP view is displayed.
Run authentication tcp-ao peer peer-id name tcpao-name
TCP-AO authentication is enabled for LDP.

The value of tcpaoname must be the same as that of the TCP-AO created in Step 2.

For the same peer, the authentication modes TCP-AO, MD5, and keychain are mutually exclusive.

Configuring LDP TCP-AO authentication may cause the reestablishment of LDP sessions.
Run commit
The configuration is committed.