LDP

Security Policy

LDP MD5 authentication

MD5 is a digest algorithm defined in relevant standards. MD5 is typically used to prevent message spoofing. An MD5 message digest is a unique result generated using an irreversible character string conversion. If a message is modified during transmission, a different digest is generated. After the message arrives at the receive end, the receive end can detect the modification after comparing the received digest with a pre-computed digest.

LDP MD5 authentication prevents LDP packets from being modified by generating unique summary information for the same information segment. It is stricter than the common TCP connection check.

LDP MD5 authentication is performed before LDP messages are sent over TCP. A unique message digest is added following the TCP header in a message. The message digest is generated using the MD5 algorithm based on the TCP header, LDP message, and user-defined password.

When receiving the message, the receive end obtains the TCP header, message digest, and LDP message. It generates the message digest based on the obtained information and the locally saved password. Then, it compares the generated message digest with the message digest carried in the LDP message. If they are different, the receive end interprets the LDP message as having been tampered with.

A password can be set either in ciphertext or simple text. If the password is set in simple text, the password set by users is directly recorded in the configuration file. If the password is set in ciphertext, the password is encrypted using a special algorithm and then recorded in the configuration file.

Characters set by users are used in digest calculation, regardless of whether the password is set in simple text or ciphertext. Encrypted passwords are not used in digest calculations. Encryption/decryption algorithms are proprietary to vendors.

The encryption algorithm MD5 has a low security, which may bring security risks. Using more secure authentication is recommended.
LDP keychain authentication

Keychain, an enhanced encryption algorithm similar to MD5, calculates a message digest for an LDP message to prevent the message from being modified.

During keychain authentication, a group of passwords is defined to form a password string, and each password is assigned an encryption and decryption algorithm, such as MD5 algorithm and SHA-1, and an expiration period. When sending or receiving a packet, the system selects a valid password based on the user's configuration. Then, within the expiration period of the password, the system starts the encryption algorithm matching the password to encrypt the packet before sending it out, or starts the encryption algorithm matching the password to decrypt the packet before accepting it. In addition, the system can automatically use a new password after the previous password expires, preventing the password from being decrypted.

The keychain authentication password, the encryption and decryption algorithms, and the expiration period of the password can be configured separately on a keychain configuration node. A keychain configuration node has the following minimum requirements: one password, an encryption algorithm, and a decryption algorithm.

To reference a keychain configuration node, specify a peer IP address and a node name in the MPLS-LDP view. The keychain configuration node is then used to encrypt an LDP session. Multiple peers can reference the same keychain configuration node.
LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain or MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1. Keychain authentication takes effect on other peers.

You can configure either LDP MD5 authentication or LDP keychain authentication in a specific scenario:
- The MD5 algorithm is easy to configure and generates a single password which can only be changed manually. MD5 authentication applies to networks requiring short-period encryption.
- Keychain authentication involves a set of passwords and uses a new password each time the previous one expires. Keychain authentication is complex to configure and applies to networks requiring high security.
LDP GTSM

LDP GTSM is the application of GTSM in LDP.

GTSM determines whether a packet is valid by checking its TTL. This protects devices from attacks. GTSM for LDP involves applying GTSM to LDP messages between adjacent devices or devices close to each other (based on the number of next hops). A TTL value range is then set. The LDP messages with TTLs not within the specified value range are interpreted as attack packets and discarded.
LDP TCP-AO authentication
The TCP Authentication Option (TCP-AO) is used to authenticate received and to-be sent packets during TCP session establishment and data exchange. It supports packet integrity check to prevent TCP replay attacks.

Attack Methods

None.

Procedure

Configure LDP MD5 authentication for a single LDP peer.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run md5-password { plain | cipher } peer-lsr-id password
  MD5 authentication is configured and a password is set.
  - The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space.
  - For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.
  The password can be set in either simple text or ciphertext. A simple password is a pre-configured character string that is recorded in a configuration file as it is. A ciphertext password is a character string that is encrypted using a specified algorithm before being recorded in a configuration file.
  - If you configure a simple password, it will be saved in the configuration file in simple text that has a high security risk. Therefore, configuring a ciphertext password is recommended. To improve the device security, periodically change the password.
  - Configuring LDP keychain authentication leads to reestablishment of an LDP session and deletes the LSP associated with the LDP session.
4. Run commit
  The configurations are committed.
Configure LDP MD5 authentication for LDP peers in a specified LDP peer group.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run md5-password { plain | cipher } peer-group ip-prefix-name password
  MD5 authentication is enabled and a password is set for LDP peers in a specified LDP peer group.
  
  An IP prefix list can be specified using ip-prefix-name to define the range of IP addresses in a group. Before using an IP prefix list, ensure that the IP prefix list must have been created.
  - The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space.
  - For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.
4. (Optional) Run authentication exclude peer peer-id
  The device is disabled from authenticating a specified LDP peer.
5. Run commit
  The configurations are committed.
Configure LDP MD5 authentication for all LDP peers.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run md5-password { plain | cipher } all password
  MD5 authentication is enabled and a password is set for all LDP peers.
  - The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space.
  - For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.
4. (Optional) Run authentication exclude peer peer-id
  The device is disabled from authenticating a specified LDP peer.
5. Run commit
  The configurations are committed.
Configure LDP Keychain authentication for a specified LDP peer.
Before configuring LDP keychain authentication, configure keychain globally. For configuration details, see HUAWEI NetEngine 8000 F SeriesRouter Configuration Guide - Security.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run authentication key-chain peer peer-id name keychain-name
  LDP keychain is enabled and a keychain name is specified.
  
  Configuring LDP keychain authentication leads to reestablishment of an LDP session and deletes the LSP associated with the LDP session.
4. Run commit
  The configurations are committed.
Configure LDP keychain authentication for LDP peers in a specified LDP peer group.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run authentication key-chain peer-group ip-prefix-name name keychain-name
  LDP keychain is enabled and a keychain name is specified for a specified LDP peer group.
  
  An IP prefix list can be specified using ip-prefix-name to define the range of IP addresses in a group. Before using an IP prefix list, ensure that the IP prefix list must have been created.
4. (Optional) Run authentication exclude peer peer-id
  The device is disabled from authenticating a specified LDP peer.
5. Run commit
  The configurations are committed.
Configure LDP keychain authentication for all LDP peers.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run authentication key-chain all name keychain-name
  LDP keychain is enabled and a keychain name is specified for all LDP peers.
4. (Optional) Run authentication exclude peer peer-id
  The device is disabled from authenticating a specified LDP peer.
5. Run commit
  The configurations are committed.
Configure the LDP GTSM.
The GTSM checks TTL values to verify packets and defends devices against attacks. LDP peers with the GTSM and a valid TTL range configured check TTLs in LDP packets exchanged between them. If the TTL in an LDP packet is out of the valid range, this LDP message is considered invalid and discarded. The GTSM defends against CPU-based attacks initiated using a great number of forged packets and protects upper-layer protocols.
1. Run system-view
  The system view is displayed.
2. Run mpls ldp
  The MPLS-LDP view is displayed.
3. Run gtsm peer ip-address valid-ttl-hops hops
  The LDP GTSM is configured.
  
  hops is the maximum number of valid hops permitted by the GTSM. If a TTL value carried in a received packet is in a specified range of [255 - hops + 1, 255], the packet is accepted; if the TTL value is out of the range, the packet is discarded.
4. Run commit
  The configurations are committed.
Configure LDP TCP-AO Authentication
1. Run the system-view command to enter the system view.
2. Run the tcp ao tcpaoname command to create a TCP-AO and enter its view.
3. Run the binding keychain kcName command to bind the TCP-AO to a keychain.
  
  Before performing this step, complete "Configuring Keychain Authentication Globally" to create a keychain.
4. Run the key-id keyId command to create a key ID for the TCP-AO and enter the TCP-AO key ID view.
5. Run the send-id sndId receive-id rcvId command to configure send-id and receive-id for the Key ID.
6. Run the quit command to return to the upper-level view.
7. Run the quit command to return to the system view.
8. Run the mpls ldp command to enter the MPLS-LDP view.
9. Run the authentication tcp-ao peer peer-id name tcpaoname command to enable TCP-AO authentication for LDP.
  The value of tcpaoname must be the same as that of the TCP-AO created in Step 2.
  
  For the same peer, the authentication modes TCP-AO, MD5, and keychain are mutually exclusive.
  
  Configuring LDP TCP-AO authentication may cause the reestablishment of LDP sessions.
10. Run the commit command to commit the configuration.