This post will speak about LDP session protections. We are
should know by now, that cisco
supports encryption within various
dynamic routing protocols; (RIPv2/OSPF/EIGRP/BGP). But in MPLS and between our LSRs, we can protect the ldp
sessions with a simple md5 password.
Let’s recap our knowledge on LDP
- it uses tcp for the session
- it uses the mcast-all-routers to find our neighbors initially
- builds session between our LSR via the loopback
- we typically use a IGP routing protocol within our LSR space
- cisco supports LDP or TDP within a SP arena
- it uses keepalives to determine when a neighbor is no longer reachable
- the LDP uses port 646/tcp
Okay so let’s see the layout and cfg;
R1:
We 1st define a loopback and enable ldp on the
interfaces that needs to participate in MPLS label swapping
!
interface Loopback0
ip address
1.0.0.1 255.255.255.255
!
!
interface FastEthernet0/0
ip address
10.10.10.1 255.255.255.0
duplex auto
speed auto
mpls label
protocol ldp
mpls ip
Next we enable our favorite IGP, I’m using OSPF in this
example, but it could have been EIGRP
r1.mpls#sh run | sec router ospf
router ospf 1
router-id
1.0.0.1
log-adjacency-changes
network 0.0.0.0
255.255.255.255 area 0
r2:
This router is configure in the same method;
!
interface FastEthernet0/0
ip address
10.10.10.2 255.255.255.0
duplex auto
speed auto
mpls label
protocol ldp
mpls ip
!
interface Loopback0
description
mpls ospf r2 in my virtualize MPLS cloud
ip address
1.0.0.2 255.255.255.255
!
router ospf 1
log-adjacency-changes
network 0.0.0.0
255.255.255.255 area 0
Now let’s configured the password for the session. Remember
the sessions originate and terminates on
the loopbacks. So these will be you neighbors.
R1:
mpls ldp neighbor 1.0.0.2 password cisco1
R2:
mpls ldp neighbor 1.0.0.1 password cisco1
Okay so let’s see how it works;
r1.mpls#show mpls ldp discovery det
Local LDP
Identifier:
1.0.0.1:0
Discovery Sources:
Interfaces:
FastEthernet0/0
(ldp): xmit/recv
Enabled: Interface config
Hello interval: 5000 ms;
Transport IP addr: 1.0.0.1
LDP Id: 1.0.0.2:0
Src IP addr:
10.10.10.2; Transport IP addr: 1.0.0.2
Hold time: 15
sec; Proposed local/peer: 15/15 sec
Reachable via
1.0.0.2/32
Targeted Hellos:
1.0.0.1
-> 1.0.0.2 (ldp): active/passive, xmit/recv
Hello interval: 10000 ms;
Transport IP addr: 1.0.0.1
LDP Id: 1.0.0.2:0
Src IP addr:
1.0.0.2; Transport IP addr: 1.0.0.2
Hold time: 90
sec; Proposed local/peer: 90/90 sec
Reachable via
1.0.0.2/32
r1.mpls#sh tcp br
TCB Local Address
Foreign Address
(state)
650780AC
1.0.0.1.646
1.0.0.2.38458 ESTAB
r1.mpls#
r1.mpls#show mpls interfaces fas 0/0 det
Interface FastEthernet0/0:
IP
labeling enabled (ldp):
Interface config
LSP
Tunnel labeling not enabled
BGP
tagging not enabled
Tagging
operational
Fast
Switching Vectors:
IP to MPLS Fast Switching Vector
MPLS Turbo Vector
MTU
= 1500
If one side is
enable with the wrong or no md5 password, we will se the following ;
*Mar 1
00:11:16.823: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(19067)
*Mar 1
00:11:20.295: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar 1
00:11:22.287: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar 1
00:11:22.299: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar 1
00:11:26.287: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar 1
00:11:26.299: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar 1
00:11:34.291: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar 1
00:11:34.299: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
Once the md5 password is enable and matched, we should see
the ldp neighbor UP status.
*Mar 1
00:11:45.595: %LDP-5-NBRCHG: LDP Neighbor 1.0.0.1:0 (1) is UP
Okay so what should we have gathered;
- LDP sessions helps to protect our core from un-authorized LDP peers
- it uses a simple md5 passsword
- no keychains
- no means to expire and roll-over new md5 password without taking a hit or lost of ldp neighborship with basic ISR routers ( btw the Nexus supports lossless ldp and uses keychains )
Ken Felix
Freelance Network & Security Engineer
kfelix at
hyperfeed . com
Minneapolis home security systems is clearly one of the best home security system on the market,offering multiple devices that protect your home and family against virtually every type of physical threat.
ReplyDeletehtml Business Security