Sunday, January 20, 2013

MPLS/LDP session protection using md5 ( cisco )

-->
This post will speak about LDP session protections. We are should know by now,  that  cisco supports encryption within various dynamic routing protocols; (RIPv2/OSPF/EIGRP/BGP). But in MPLS and between our LSRs, we can protect the ldp sessions with a simple md5 password.
 Let’s recap our knowledge on LDP
  •  it uses tcp for the session
  • it uses the mcast-all-routers to find our neighbors initially
  • builds session between our LSR via the loopback
  • we typically use a IGP routing protocol within our LSR space
  • cisco supports LDP or  TDP within a SP arena
  • it uses keepalives to determine when a neighbor is no longer reachable
  • the LDP uses port 646/tcp

Okay so let’s see the  layout and cfg;


R1:
We 1st define a loopback and enable ldp on the interfaces that needs to participate in MPLS label swapping
!
interface Loopback0
 ip address 1.0.0.1 255.255.255.255
!
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 duplex auto
 speed auto
 mpls label protocol ldp
 mpls ip

Next we enable our favorite IGP, I’m using OSPF in this example, but it could have been EIGRP

r1.mpls#sh run | sec router ospf
router ospf 1
 router-id 1.0.0.1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

r2:
This router is configure in the same method;


!
interface FastEthernet0/0
 ip address 10.10.10.2 255.255.255.0
 duplex auto
 speed auto
 mpls label protocol ldp
 mpls ip
!
interface Loopback0
 description mpls ospf r2 in my virtualize MPLS cloud
 ip address 1.0.0.2 255.255.255.255
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0


Now let’s configured the password for the session. Remember the sessions originate and terminates on  the loopbacks. So these will be you neighbors.
R1:
mpls ldp neighbor 1.0.0.2 password cisco1

R2:
mpls ldp neighbor 1.0.0.1 password cisco1

Okay so let’s see how it works;
 r1.mpls#show mpls ldp discovery  det
 Local LDP Identifier:
    1.0.0.1:0
    Discovery Sources:
    Interfaces:
            FastEthernet0/0 (ldp): xmit/recv
                Enabled: Interface config
                Hello interval: 5000 ms; Transport IP addr: 1.0.0.1
                LDP Id: 1.0.0.2:0
                  Src IP addr: 10.10.10.2; Transport IP addr: 1.0.0.2
                  Hold time: 15 sec; Proposed local/peer: 15/15 sec
                  Reachable via 1.0.0.2/32
    Targeted Hellos:
            1.0.0.1 -> 1.0.0.2 (ldp): active/passive, xmit/recv
                Hello interval: 10000 ms; Transport IP addr: 1.0.0.1
                LDP Id: 1.0.0.2:0
                  Src IP addr: 1.0.0.2; Transport IP addr: 1.0.0.2
                  Hold time: 90 sec; Proposed local/peer: 90/90 sec
                  Reachable via 1.0.0.2/32
r1.mpls#sh tcp br
TCB       Local Address           Foreign Address        (state)
650780AC  1.0.0.1.646             1.0.0.2.38458          ESTAB
r1.mpls#

r1.mpls#show mpls interfaces  fas 0/0 det
Interface FastEthernet0/0:
            IP labeling enabled (ldp):
              Interface config
            LSP Tunnel labeling not enabled
            BGP tagging not enabled
            Tagging operational
            Fast Switching Vectors:
              IP to MPLS Fast Switching Vector
              MPLS Turbo Vector
            MTU = 1500



 If one side is enable with the wrong or no md5 password, we will se the following ;


*Mar  1 00:11:16.823: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(19067)
*Mar  1 00:11:20.295: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar  1 00:11:22.287: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar  1 00:11:22.299: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar  1 00:11:26.287: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar  1 00:11:26.299: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar  1 00:11:34.291: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)
*Mar  1 00:11:34.299: %TCP-6-BADAUTH: No MD5 digest from 1.0.0.1(646) to 1.0.0.2(17163)

Once the md5 password is enable and matched, we should see the ldp neighbor UP status.

*Mar  1 00:11:45.595: %LDP-5-NBRCHG: LDP Neighbor 1.0.0.1:0 (1) is UP

Okay so what should we have gathered;

  • LDP sessions helps to protect our core from un-authorized LDP peers
  • it uses a simple md5 passsword
  • no keychains
  • no means to expire and roll-over new md5 password without taking a hit or lost of ldp neighborship with basic ISR routers ( btw the Nexus supports lossless ldp and uses keychains )
Ken Felix
Freelance Network & Security Engineer
kfelix at  hyperfeed  . com


1 comment:

  1. Minneapolis home security systems is clearly one of the best home security system on the market,offering multiple devices that protect your home and family against virtually every type of physical threat.
    html Business Security

    ReplyDelete