MPLS LDP Lossless MD5 Session Authentication
Table of Contents
Introduction
MPLS LDP MD5 Lossless authentication is similar to the other two method of authenticating LDP, with the exception of not tearing down the LDP TCP session to change or enable neighbor password.
LDP Lossless MD5 Session Authentication
- No LDP reset is required (lossless) to active a new password or change the existing LDP session's authentication, .
- Asymmetric and symmetric key are supported:
- Asymmetric - inbound TCP segments use different key than outbound TCP segments.
- Symmetric - both inbound and outbound TCP segments are the same.
- Key-chains can be used, which provide the capability to have multiple passwords configured with overlapping times.
- Rotation of keys can be accomplish with the combination of send-lifetime and accept-lifetime.
- send-lifetime specifies when to start sending a key and when to stop sending it.
- accept-lifetime specifies when a key is valid and when it becomes invalid.
- Timer start Jan 1, 1993.
- An ACL can be used to specify the group LDP neighbors that will use a group password. If that ACL get's modified and becomes empty all LDP neighbors will be part of that group. Any empty access list implies "permit any" by default.
Relevant IOS Commands
mpls ldp password rollover duration
Specified the amount to time to rollover LDP peers to use another password. During this time both passwords could be used, the old one and the new one.
R1(config)# mpls ldp password rollover duration (min)
mpls ldp password option for
R1(config)# mpls ldp password option (#) for (ACL) (key-chain-name)
R1(config)# mpls ldp password option (#) for (ACL) (clear-text)
Relevant XR Commands
neighbor password
Configures a default password for all neighbors.
RP/0/0/CPU0:XR11(config)# mpls ldp
RP/0/0/CPU0:XR11(config-ldp)# neighbor password [clear | encrypted] (pass)
neighbor (a.b.c.d.) password
Configures a per neighbor password. Does not require LDP session from being cleared.
RP/0/0/CPU0:XR11(config)# mpls ldp
RP/0/0/CPU0:XR11(config-ldp)# neighbor (a.b.c.d) password [clear | encrypted] (pass)
Show mpls ldp neighbor
show mpls ldp neighbor
Additional Resources
MPLS-LDP-Per-Neighbor-Authentication
MPLS-LDP-MD5-Global-Configuration
MPLS Label Distribution Protocol Configuration Guide, Cisco IOS Release 12.2SR - MPLS LDP-Lossless MD5 Session Authentication