A typical MD5 application is to calculate a message digest to prevent message spoofing.
The MD5 message digest is a unique result calculated using an irreversible character string
conversion. If a message is modified during transmission, a different digest is generated.
After the message arrives at the receiving end, the receiving end can detect the modification
after comparing the received digest with a pre-computed digest.
MD5 authentication can be performed in either plaintext or cipher text mode. During MD5
authentication configuration, two peers of an LDP session can be configured with different
authentication modes and must be configured with a single password.
l LDP keychain authentication
Keychain, an enhanced encryption algorithm similar to MD5, calculates a message digest
for an LDP message to prevent the message from being modified.
During keychain authentication, a group of passwords are defined in the format of a
password string, and each password is assigned a specified encryption and decryption
algorithm such as MD5 or secure hash algorithm-1 (SHA-1) and configured with a validity
period. When sending or receiving a packet, the system selects a valid password. Within
the validity period of the password, the system uses the encryption algorithm matching the
password to encrypt the packet before sending it out, or uses the decryption algorithm
matching the password to decrypt the packet before accepting it. In addition, the system
automatically uses a new password after the previous password expires, minimizing
password decryption risks.
Before configuring LDP keychain authentication, configure keychain authentication
globally. If LDP keychain authentication is configured before global keychain
authentication is configured, the LDP session will be disconnected.
l LDP GTSM
The GTSM checks TTL values to defend against attacks. An attacker simulates unicast
LDP messages and sends them to nodes. After receiving these messages, an interface board
on a node finds that the messages are destined for itself and directly sends them to the LDP
module on the control plane without verifying them. As a result, the node is busy in
processing these forged messages on the control plane, leading to high CPU usage.
To address this problem, the GTSM can be configured to check whether or not the TTL
value in the IP header is within a specified range, protecting the nodes against attacks and
improving system security.
Pre-configuration Tasks
Before configuring LDP security features, complete the following task:
l Enabling MPLS and MPLS LDP
Data Preparation
To configure LDP security features, you need the following data.
No.
Data
1 Transport address of each LDP peer
2 (Optional) MD5 authentication password
(Optional) Global keychain name
(Optional) Maximum number of hops permitted by the GTSM
Huawei AR1200 Series Enterprise Routers
Configuration Guide - MPLS 2 MPLS LDP Configuration
Issue 01 (2011-12-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
63
To Next Page
Loading...
