Introduction

MPLS LDP MD5 Lossless authentication is similar to the other two method of authenticating LDP, with the exception of not tearing down the LDP TCP session to change or enable neighbor password.

LDP Lossless MD5 Session Authentication

• No LDP reset is required (lossless) to active a new password or change the existing LDP session's authentication, .
• Asymmetric and symmetric key are supported:
  • Asymmetric - inbound TCP segments use different key than outbound TCP segments.
  • Symmetric - both inbound and outbound TCP segments are the same.
• Key-chains can be used, which provide the capability to have multiple passwords configured with overlapping times.
• Rotation of keys can be accomplish with the combination of send-lifetime and accept-lifetime.
  • send-lifetime specifies when to start sending a key and when to stop sending it.
  • accept-lifetime specifies when a key is valid and when it becomes invalid.
• Timer start Jan 1, 1993.
• An ACL can be used to specify the group LDP neighbors that will use a group password. If that ACL get's modified and becomes empty all LDP neighbors will be part of that group. Any empty access list implies "permit any" by default.

Relevant IOS Commands

mpls ldp password rollover duration

Specified the amount to time to rollover LDP peers to use another password. During this time both passwords could be used, the old one and the new one.

R1(config)#        mpls ldp password rollover duration (min)

mpls ldp password option for

R1(config)#        mpls ldp password option (#) for (ACL) (key-chain-name)
R1(config)#        mpls ldp password option (#) for (ACL) (clear-text)

Relevant XR Commands

neighbor password

Configures a default password for all neighbors.

RP/0/0/CPU0:XR11(config)#    mpls ldp
RP/0/0/CPU0:XR11(config-ldp)#   neighbor password [clear | encrypted] (pass)

neighbor (a.b.c.d.) password

Configures a per neighbor password. Does not require LDP session from being cleared.

RP/0/0/CPU0:XR11(config)#    mpls ldp
RP/0/0/CPU0:XR11(config-ldp)#   neighbor (a.b.c.d) password [clear | encrypted] (pass)

Show mpls ldp neighbor

show mpls ldp neighbor

RP/0/0/CPU0:XR11#show mpls ldp neighbor        
Wed Mar  5 22:17:10.772 UTC

Peer LDP Identifier: 5.5.5.5:0
  TCP connection: 5.5.5.5:646 - 19.19.19.19:33540; MD5 on     <--- MD5 on!
  Graceful Restart: No
  Session Holdtime: 180 sec
  State: Oper; Msgs sent/rcvd: 34/34; Downstream-Unsolicited
  Up time: 00:11:05
  LDP Discovery Sources:
      GigabitEthernet0/0/0/0.519
  Addresses bound to this peer:
      5.5.5.5        20.4.5.5       20.5.6.5       20.5.19.5

Additional Resources

MPLS-LDP-Per-Neighbor-Authentication
MPLS-LDP-MD5-Global-Configuration
MPLS Label Distribution Protocol Configuration Guide, Cisco IOS Release 12.2SR - MPLS LDP-Lossless MD5 Session Authentication

Comments

Show Comments

Hide All Comments Unfold All Fold All

Fold

Trouble Not Resetting the Session

kemot 09 Jul 2013 04:51

When I'm testing this in GNS3, I'm having a problem maintaining the session. I'm not sure if the order of operation is relevant.

• Start off with password key configured, then password requirement, the session is reset.

R4(config)#mpls ldp password option 10 for 3 LDP-KEY
R4(config)#MPLs LDp PASSword REquired FOR 3
R4(config)#
*Jul  8 23:47:34.471: %LDP-5-NBRCHG: LDP Neighbor 3.3.3.3:0 (3) is DOWN (Session's MD5 password changed)
R4(config)#
*Jul  8 23:47:37.259: %LDP-5-NBRCHG: LDP Neighbor 3.3.3.3:0 (2) is UP
R4(config)#

• Start off with password requirement, session is reset right away.

R4(config)#mpls ldp password required for  3
R4(config)#
*Jul  8 23:50:10.635: %LDP-5-NBRCHG: LDP Neighbor 3.3.3.3:0 (2) is DOWN (Session's MD5 password changed)
R4(config)#
*Jul  8 23:50:12.347: %LDP-4-PWD: MD5 protection is required for peer 3.3.3.3:0, no password configured

Reply Options

Unfold Trouble Not Resetting the Session by kemot, 09 Jul 2013 04:51

Add a New Comment

Permanent Link Edit Delete