LDP Authentication

LDP MD5 authentication

MD5 is a digest algorithm defined in relevant standards. MD5 is typically used to prevent message spoofing. An MD5 message digest is a unique result generated using an irreversible character string conversion. If a message is modified during transmission, a different digest is generated. After the message arrives at the receive end, the receive end can detect the modification after comparing the received digest with a pre-computed digest.

LDP MD5 authentication prevents LDP packets from being modified by generating unique summary information for the same information segment. It is stricter than the common TCP connection check.

LDP MD5 authentication is performed before LDP messages are sent over TCP. A unique message digest is added following the TCP header in a message. The message digest is generated using the MD5 algorithm based on the TCP header, LDP message, and user-defined password.

When receiving the message, the receive end obtains the TCP header, message digest, and LDP message. It generates the message digest based on the obtained information and the locally saved password. Then, it compares the generated message digest with the message digest carried in the LDP message. If they are different, the receive end interprets the LDP message as having been tampered with.

A password can be set either in ciphertext or simple text. If the password is set in simple text, the password set by users is directly recorded in the configuration file. If the password is set in ciphertext, the password is encrypted using a special algorithm and then recorded in the configuration file.

Characters set by users are used in digest calculation, regardless of whether the password is set in simple text or ciphertext. Encrypted passwords are not used in digest calculations. Encryption/decryption algorithms are proprietary to vendors.

The encryption algorithm MD5 has a low security, which may bring security risks. Using more secure authentication is recommended.

LDP keychain authentication

Keychain, an enhanced encryption algorithm similar to MD5, calculates a message digest for an LDP message to prevent the message from being modified.

During keychain authentication, a group of passwords is defined to form a password string, and each password is assigned an encryption and decryption algorithm, such as MD5 algorithm and SHA-1, and an expiration period. When sending or receiving a packet, the system selects a valid password based on the user's configuration. Then, within the expiration period of the password, the system starts the encryption algorithm matching the password to encrypt the packet before sending it out, or starts the encryption algorithm matching the password to decrypt the packet before accepting it. In addition, the system can automatically use a new password after the previous password expires, preventing the password from being decrypted.

The keychain authentication password, the encryption and decryption algorithms, and the expiration period of the password can be configured separately on a keychain configuration node. A keychain configuration node has the following minimum requirements: one password, an encryption algorithm, and a decryption algorithm.

To reference a keychain configuration node, specify a peer IP address and a node name in the MPLS-LDP view. The keychain configuration node is then used to encrypt an LDP session. Multiple peers can reference the same keychain configuration node.