Enabling LDP Authentication

Table of contents:

Problem

You want to ensure that all LDP protocol traffic that your router accepts comes from devices known to you so that only trusted routers participate in determining the contents of the LDP database.

Solution

Configure MD5 authentication for each LDP session on the router. For authentication to work across all LDP peers, you need to configure MD5 authentication with the same password on all LDP sessions on all LDP routers. First, configure the session on the ingress router, RouterG:

	[edit protocols ldp]
	aviva@RouterG# set session 192.168.17.1 authentication-key $1991poPPi

Then, configure the LDP session on the egress router:

	[edit protocols ldp]
	aviva@RouterF# set session 192.168.17.1 authentication-key $1991poPPi

Finally, configure both LDP sessions on the transit router:

	[edit protocols ldp]
	aviva@RouterJ# set session 192.168.16.1 authentication-key $1991poPPi
	aviva@RouterJ# set session 192.168.19.1 authentication-key $1991poPPi

Discussion

Its a good security measure to authenticate the TCP connection used for LDP sessions to ensure against spoofing on the TCP connection. The JUNOS implementation LDP uses an MD5 signature for authentication.

This recipe shows how to configure MD5 authentication for LDP. You configure MD5 authentication for each session and set a key, or password. From the key, MD5 creates an encoded checksum that is included in all transmitted LDP packets. The receiving router verifies this checksum before accepting the packet. LDP routers establish sessions with each of their LDP neighbors. Because LDP authentication is always between a pair of neighbors, not end to end, you can use a different key on each session. For example, you could set a one key for the RouterGRouterJ session and a different one for the RouterJRouterF session.

Use the show ldp session command to list the established sessions. You see that RouterG has one LDP session:

	aviva@RouterG> show ldp session
	 Address State Connection Hold time
	192.168.17.1 Operational Open 24

The LDP session is established with the immediate neighbor, RouterJ (191.168.17.1). So, when you configure authentication, specify the address of the session to RouterJ. RouterF also has one session, to its neighbor RouterJ:

	aviva@RouterF> show ldp session
	 Address State Connection Hold time
	192.168.17.1 Operational Open 29

The router in the middle, RouterJ, has one session to each LDP peer:

	aviva@RouterJ> show ldp session
	 Address State Connection Hold time
	192.168.16.1 Operational Open 24
	192.168.19.1 Operational Open 21

One way to verify whether authentication is configured is to look at the configuration:

	aviva@RouterG> show configuration protocols ldp
	interface t1-4/0/0.0;
	session 192.168.17.1 {
	 authentication-key "$9$c3pyvWX7-w24x7k.fT3nvW8LVw"; ## SECRET-DATA
	}

This output confirms that authentication is configured. As a security measure, the CLI shows only the encrypted form of the password to stop anyone from casually glancing through the configuration and seeing the actual password. You can also protect the password by using the encrypted form instead of the text form when configuring authentication on additional routers:

	[edit protocols ldp session 192.168.17.1]
	aviva@RouterF# set authentication-key $9$c3pyvWX7-w24x7k.fT3nvW8LVw

Another way to check that authentication is configured is to look at the LDP session:

	aviva@RouterG> show ldp session detail
	Address: 192.168.17.1, State: Connecting, Connection: Opening, Hold time: 0
	 Session ID: 192.168.19.1:0--192.168.17.1:0
	 Active, Maximum PDU: 4096, Hold time: 30, Neighbor count: 1
	 Keepalive interval: 10, Connect retry interval: 1
	 Local address: 192.168.19.1, Remote address: 192.168.17.1
	 Last down 00:00:09 ago; Reason: connect time expired
	  
Authentication type: MD5
	 Local - Restart: disabled, Helper mode: enabled
	 Remote - Restart: disabled, Helper mode: enabled
	 Local maximum recovery time: 240000 msec
	 Next-hop addresses received:
	 t1-4/0/0.0

The Authentication type line shows that the LDP session is using MD5 authentication.


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net