(Optional) Configuring MPLS LDP Security

Owned by Tracy Yang
Nov 18, 2024
2 min read

In networks where security requirements are high, network security can be enhanced by configuring LDP MD5 authentication and LDP GTSM.

Enable MD5 Authentication between MPLS LDP Neighbors

In order to enhance the security of LDP session connections, MD5 authentication can be configured for the TCP connections used by LDP.

By setting a password, you enforce authentication for the LDP session between the local router and its neighbor. This adds a layer of security, ensuring that only authorized routers can establish an LDP session and exchange label information.

It helps to prevent unauthorized devices from establishing LDP sessions with your routers, which could potentially lead to routing issues or security vulnerabilities.

NOTE:

Ensure that the same password is configured on both sides of the LDP session. Mismatched passwords will prevent the LDP session from being established.

This example enables message digest5 (MD5) authentication on a TCP connection between two MPLS LDP neighbors.

admin@XorPlus# set protocols mpls ldp neighbor 2.2.2.2 password picos12345 admin@XorPlus# commit

Enable Generalized TTL Security Mechanism (GTSM)

The Generalized TTL Security Mechanism (GTSM) is a security mechanism used to protect devices from attacks by determining the validity of packets based on their TTL (Time-to-Live) values. When configured on LDP peers, GTSM checks the TTL values of LDP messages exchanged between peers based on the configured TTL range. If the TTL of an LDP message does not fall within the configured range, it is considered an illegal attack packet and is discarded. This helps prevent attacks on the LDP protocol that involve flooding the network with forged packets, thereby protecting the upper-layer protocols.

The set protocols mpls ldp neighbor ttl-security hops command enforces Generalized TTL Security Mechanism (GTSM), as specified in RFC 5082. With this command, only neighbors that are the specified number of hops away will be allowed to become neighbors. This command is mutually exclusive with ebgp-multihop.

By default, TTL hop is 0, indicating ttl-security is disabled.

NOTE:

  • The valid range of TTL values allowed for detection packets varies among devices from different vendors, including 1 to 255 and 1 to 64. Therefore, when interoperating with devices from other vendors, it is necessary to configure different hop values according to the implementation of the other vendor's devices. Otherwise, packets sent by the peer will be discarded, leading to interruption of the LDP session.

  • The commands set protocols mpls ldp neighbor <ip> ttl-security hops <integer> and set protocols mpls ldp neighbor <ip> ttl-security disable cannot be configured simultaneously.

This following example enables GTSM and configures GTSM valid hops.

admin@PICOS# set protocols mpls ldp neighbor 2.2.2.2 ttl-security hops 10 admin@PICOS# commit

Disabling GTSM might be necessary if compatibility with older or certain specific devices that do not support TTL security is required. The following command can be used to disable GTSM.

admin@PICOS# set protocols mpls ldp neighbor 2.2.2.2 ttl-security disable admin@PICOS# commit

 

 

Copyright © 2024 Pica8 Inc. All Rights Reserved.