Enabling LDP Authentication

Problem

You want to ensure that all LDP protocol traffic that your router accepts comes from devices known to you so that only trusted routers participate in determining the contents of the LDP database.

Solution

Configure MD5 authentication for each LDP session on the router. For authentication to work across all LDP peers, you need to configure MD5 authentication with the same password on all LDP sessions on all LDP routers. First, configure the session on the ingress router, RouterG:

[edit protocols ldp] aviva@RouterG# set session 192.168.17.1 authentication-key $1991poPPi

Then, configure the LDP session on the egress router:

[edit protocols ldp] aviva@RouterF# set session 192.168.17.1 authentication-key $1991poPPi

Finally, configure both LDP sessions on the transit router:

[edit protocols ldp] aviva@RouterJ# set session 192.168.16.1 authentication-key $1991poPPi aviva@RouterJ# set session 192.168.19.1 authentication-key $1991poPPi

Discussion

Its a good security measure to authenticate the TCP connection used for LDP sessions to ensure against spoofing on the TCP connection. The JUNOS implementation LDP uses an MD5 signature for authentication.

This recipe shows how to configure MD5 authentication for LDP. You configure MD5 authentication for each session and set a key, or password. From the key, MD5 creates an encoded checksum that is included in all transmitted LDP packets. The receiving router verifies this checksum before accepting the packet. LDP routers establish sessions with each of their LDP neighbors. Because LDP authentication is always between a pair of neighbors, not end to end, you can use a different key on each session. For example, you could set a one key for the RouterGRouterJ session and a different one for the RouterJRouterF session.

Use the show ldp session command to list the established sessions. You see that RouterG has one LDP session:

aviva@RouterG> show ldp session Address State Connection Hold time 192.168.17.1 Operational Open 24

The LDP session is established with the immediate neighbor, RouterJ (191.168.17.1). So, when you configure authentication, specify the address of the session to RouterJ. RouterF also has one session, to its neighbor RouterJ:

aviva@RouterF> show ldp session Address State Connection Hold time 192.168.17.1 Operational Open 29

The router in the middle, RouterJ, has one session to each LDP peer:

aviva@RouterJ> show ldp session Address State Connection Hold time 192.168.16.1 Operational Open 24 192.168.19.1 Operational Open 21

One way to verify whether authentication is configured is to look at the configuration:

aviva@RouterG> show configuration protocols ldp interface t1-4/0/0.0; session 192.168.17.1 { authentication-key "$9$c3pyvWX7-w24x7k.fT3nvW8LVw"; ## SECRET-DATA }

This output confirms that authentication is configured. As a security measure, the CLI shows only the encrypted form of the password to stop anyone from casually glancing through the configuration and seeing the actual password. You can also protect the password by using the encrypted form instead of the text form when configuring authentication on additional routers:

[edit protocols ldp session 192.168.17.1] aviva@RouterF# set authentication-key $9$c3pyvWX7-w24x7k.fT3nvW8LVw

Another way to check that authentication is configured is to look at the LDP session:

aviva@RouterG> show ldp session detail Address: 192.168.17.1, State: Connecting, Connection: Opening, Hold time: 0 Session ID: 192.168.19.1:0--192.168.17.1:0 Active, Maximum PDU: 4096, Hold time: 30, Neighbor count: 1 Keepalive interval: 10, Connect retry interval: 1 Local address: 192.168.19.1, Remote address: 192.168.17.1 Last down 00:00:09 ago; Reason: connect time expired Authentication type: MD5 Local - Restart: disabled, Helper mode: enabled Remote - Restart: disabled, Helper mode: enabled Local maximum recovery time: 240000 msec Next-hop addresses received: t1-4/0/0.0

The Authentication type line shows that the LDP session is using MD5 authentication.