Introduction

To maintain control of which MPLS routers exchange labels using LDP, per neighbor authentication can be configured. This feature also protect the TCP layer from DoS attacks.

Per Neighbor Authentication

• Security is provided in the TCP protocol header using the TCP MD5 Signature options.
• When configuring the neighbor password, until the LDP session is reset, configured neighbor password won't be in effect. The other option is to include required authentication with the command mpls ldp password required, which will authenticate all LDP neighbors immediately (this could be dangerous).
• When changing configured already configured password, until the session is reset, new password won't be used.
• The biggest disadvantage is that the LDP session has to be reset to enable this feature.
• In the configuration below R2's neighbors have per neighbor password configured:

mpls ldp neighbor 4.4.4.4 password MY-SECRET-PASS
mpls ldp neighbor 1.1.1.1 password MY-SECRET-PASS

• Only LDP neighbor 4.4.4.4 is using the password (in use), while neighbor 1.1.1.1 is not using it yet (stale).
• To see all active sessions with the same password configured and used in TCP sessions use the command show mpls ldp neighbor current.
• To see all stale sessions whose password is different than configured use the command show mpls ldp neighbor pending

R2#sh mpls ldp neighbor password
    Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 1.1.1.1.646 - 2.2.2.2.23878
        Password: not required, neighbor, stale    <---per neighbor, stale not used yet or different 
        State: Oper; Msgs sent/rcvd: 15/13
    Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 4.4.4.4.52788 - 2.2.2.2.646
        Password: not required, neighbor, in use    <--per neighbor, password currently in use.
        State: Oper; Msgs sent/rcvd: 11/17

Relevant Commands

mpls ldp neighbor password

Configured a per LDP neighbor password.

R1(config)#        mpls ldp neighbor (ldp-peer-ip) password 0 (pass)

mpls ldp password required

Forces all LDP neighbors to have a password required.

R1(config)#        mpls ldp password required

show mpls ldp neighbor password

Displays password information per neighbor.
Password is mandatory or not for this neighbor indicated by the required or not required output for all sessions.
Password source can be from neighbor, fallback optionor none.
Password can indicated if the TCP session uses MD5 password with the output in use or stale.

show mpls ldp neighbor password
show mpls ldp (ip) neighbor password
show mpls ldp neighbor password current
show mpls ldp neighbor password pending

R4#sh mpls ldp neighbor password
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 4.4.4.4:0
        TCP connection: 3.3.3.3.646 - 4.4.4.4.51594
        Password: not required, none, in use
        State: Oper; Msgs sent/rcvd: 53/48
    Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 4.4.4.4:0
        TCP connection: 2.2.2.2.646 - 4.4.4.4.52788
        Password: not required, neighbor, in use
        State: Oper; Msgs sent/rcvd: 35/30
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 4.4.4.4:0
        TCP connection: 3.3.3.3.646 - 4.4.4.4.51594
        Password: not required, neighbor, stale
        State: Oper; Msgs sent/rcvd: 56/50

show mpls ldp discovery detail

show mpls ldp discovery detail

R4#sh mpls ldp discovery detail
 Local LDP Identifier:
    4.4.4.4:0
    Discovery Sources:
    Interfaces:
        GigabitEthernet1/0 (ldp): xmit/recv
            Enabled: Interface config
            Hello interval: 5000 ms; Transport IP addr: 4.4.4.4
            LDP Id: 2.2.2.2:0
              Src IP addr: 10.1.24.2; Transport IP addr: 2.2.2.2
              Hold time: 15 sec; Proposed local/peer: 15/15 sec
              Reachable via 2.2.2.2/32
              Password: not required, neighbor, in use            <<---password information 
            Clients: IPv4, mLDP

Additional Resources

MPLS-LDP-MD5-Global-Configuration
MPLS-LDP-Lossless-MD5-Session-Authentication

Comments