Enabling LDP Authentication

Table of contents:


You want to ensure that all LDP protocol traffic that your router accepts comes from devices known to you so that only trusted routers participate in determining the contents of the LDP database.


Configure MD5 authentication for each LDP session on the router. For authentication to work across all LDP peers, you need to configure MD5 authentication with the same password on all LDP sessions on all LDP routers. First, configure the session on the ingress router, RouterG:

	[edit protocols ldp]
	aviva@RouterG# set session authentication-key $1991poPPi

Then, configure the LDP session on the egress router:

	[edit protocols ldp]
	aviva@RouterF# set session authentication-key $1991poPPi

Finally, configure both LDP sessions on the transit router:

	[edit protocols ldp]
	aviva@RouterJ# set session authentication-key $1991poPPi
	aviva@RouterJ# set session authentication-key $1991poPPi


Its a good security measure to authenticate the TCP connection used for LDP sessions to ensure against spoofing on the TCP connection. The JUNOS implementation LDP uses an MD5 signature for authentication.

This recipe shows how to configure MD5 authentication for LDP. You configure MD5 authentication for each session and set a key, or password. From the key, MD5 creates an encoded checksum that is included in all transmitted LDP packets. The receiving router verifies this checksum before accepting the packet. LDP routers establish sessions with each of their LDP neighbors. Because LDP authentication is always between a pair of neighbors, not end to end, you can use a different key on each session. For example, you could set a one key for the RouterGRouterJ session and a different one for the RouterJRouterF session.

Use the show ldp session command to list the established sessions. You see that RouterG has one LDP session:

	aviva@RouterG> show ldp session
	 Address State Connection Hold time Operational Open 24

The LDP session is established with the immediate neighbor, RouterJ ( So, when you configure authentication, specify the address of the session to RouterJ. RouterF also has one session, to its neighbor RouterJ:

	aviva@RouterF> show ldp session
	 Address State Connection Hold time Operational Open 29

The router in the middle, RouterJ, has one session to each LDP peer:

	aviva@RouterJ> show ldp session
	 Address State Connection Hold time Operational Open 24 Operational Open 21

One way to verify whether authentication is configured is to look at the configuration:

	aviva@RouterG> show configuration protocols ldp
	interface t1-4/0/0.0;
	session {
	 authentication-key "$9$c3pyvWX7-w24x7k.fT3nvW8LVw"; ## SECRET-DATA

This output confirms that authentication is configured. As a security measure, the CLI shows only the encrypted form of the password to stop anyone from casually glancing through the configuration and seeing the actual password. You can also protect the password by using the encrypted form instead of the text form when configuring authentication on additional routers:

	[edit protocols ldp session]
	aviva@RouterF# set authentication-key $9$c3pyvWX7-w24x7k.fT3nvW8LVw

Another way to check that authentication is configured is to look at the LDP session:

	aviva@RouterG> show ldp session detail
	Address:, State: Connecting, Connection: Opening, Hold time: 0
	 Session ID:
	 Active, Maximum PDU: 4096, Hold time: 30, Neighbor count: 1
	 Keepalive interval: 10, Connect retry interval: 1
	 Local address:, Remote address:
	 Last down 00:00:09 ago; Reason: connect time expired
Authentication type: MD5
	 Local - Restart: disabled, Helper mode: enabled
	 Remote - Restart: disabled, Helper mode: enabled
	 Local maximum recovery time: 240000 msec
	 Next-hop addresses received:

The Authentication type line shows that the LDP session is using MD5 authentication.

Router Configuration and File Management

Basic Router Security and Access Control





Router Interfaces

IP Routing

Routing Policy and Firewall Filters







IP Multicast

JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net