To protect against spoofed TCP segments in a connection stream,
Extreme devices allow configuration of an authentication key on a per LDP session basis.
The LDP session can be to an adjacent peer (basic discovery) or to the targeted peer (extended discovery). You must configure both sides of an LDP peer link.
The
software supports LDP authentication based upon the TCP MD5 signature option specified in
RFC 2385. This RFC defines a new TCP option for carrying an MD5 digest in a TCP segment.
To configure LDP message authentication, perform the following steps.
-
In privileged EXEC mode, enter global configuration mode.
device# configure terminal
-
Enable MPLS on the device.
device(config)# router mpls
-
Access LDP configuration mode.
device(config-router-mpls)# ldp
-
Configure an authentication key on an LDP session.
device(config-router-mpls-ldp)# session 10.10.10.3 key early
In this example, the IP address of the LDP peer for authentication is 10.10.10.3. The encrypted text string between the peers is early and it must be configured on both peers.
Example
The following example shows the previous steps to configure LDP message authentication.
device# configure terminal
device(config)# router mpls
device(config-router-mpls)# ldp
device(config-router-mpls-ldp)# session 10.10.10.3 key early
When you display the configuration, the key is encrypted.
show running-config router mpls ldp
router mpls
ldp
session 10.10.10.3
key $9$+DysjCDsYS2ba9EW4i6SPA==
!
!
!