Introduction
To maintain control of which MPLS routers exchange labels using LDP, MD5 global authentication can be configured. This feature also protect the TCP layer from DoS attacks. It provides enhancements over the Per Neighbor Authentication.
MD5 Global Configuration Authentication
- Security is provided in the TCP protocol header using the TCP MD5 Signature options.
- Password requirement can be configure per specific neighbors using an ACL to select them instead of all neighbors.
- Specific passwords can be configured per each group of neighbors, not individual ones per each LDP neighbors.
- Authentication password can be configured per neighbor or globally. The order of password check is done in the following order:
- Per neighbor password. Command mpls ldp neighbor (ip) password (pass)
- Per global password matching the peers address in ACL with the lowest option number mpls ldp option (seq) per (ACL) [0|7] (pass)
- Fallback password if configured. Command mpls ldp password fallback 0 PASS-CISCO
- Authentication is supported for the global routing table and for individual VRFs. VRF LDP authentication might be used with MPLS CsC.
- Requires an LDP session reset for passwords to be used, unless the the mpls ldp password required for command is specified.
Relevant Commands
mpls ldp password option
The Option keyword specifies an ordered list. Preference is given to the lowest number in ascending order.
The for keyword specifies neighbors that this entry applies to using standard ACL (1-99)
R1(config)# mpls ldp password option (seq) for (Standard ACL) (0|7) (pass)
mpls ldp password fallback
Catch all for password authentication of LDP sessions. If configured, this password will be last in order of evaluation.
R1(config)# mpls ldp password fallback (0|7) (pass)
mpls ldp password required for
Specifies that LDP neighbors that match the ACL should have LDP password configured. If these neighbors don't have a password configured, sessions will not come up.
R1(config)# mpls ldp password required [for (Standard ACL)]
show mpls ldp neighbor password
Displays password information per neighbor.
Password is mandatory or not for this neighbor indicated by the required or not required output for all sessions.
Password source can be from neighbor, fallback optionor none.
Password can indicated if the TCP session uses MD5 password with the output in use or stale.
show mpls ldp neighbor password
show mpls ldp (ip) neighbor password
show mpls ldp neighbor password current
show mpls ldp neighbor password pending
Additional Resources
MPLS-LDP-per-Neighbor-Authentication
MPLS-LDP-Lossless-MD5-Session-Authentication
MPLS LDP MD5 Global Configuration - MPLS Label Distribution Protocol Configuration Guide, Cisco IOS Release 12.2SR