The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The MPLS--LDP MD5 Global Configuration feature provides enhancements to the Label Distribution Protocol (LDP) implementation of the Message Digest 5 (MD5) password. This feature allows you to enable LDP MD5 globally instead of on a per-peer basis. Using this feature you can set up password requirements for a set of LDP neighbors to help prevent unauthorized peers from establishing LDP sessions and to block spoofed TCP messages.
This document provides information about and configuration information for the global configuration of LDP MD5 protection.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Toolkit and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
MD5 protection described in this document applies only to the LDP sessions. All enhancements described in this document do not affect Tag Distribution Protocol (TDP) sessions.
The MPLS--LDP MD5 Global Configuration feature provides the following enhancements to the LDP support of MD5 passwords:
LDP session, advertisement, and notification messages are exchanged between two LDP peers over a TCP connection. You can configure the TCP MD5 option to protect LDP messages that are exchanged over a TCP connection. You can configure this protection for each potential LDP peer. As a result, an LDP ignores any LDP hello messages sent from an LSR for which you have not configured a password. (LDP tries to establish an LDP session with each neighbor from which a hello message is received.)
Before the introduction of the MPLS--LDP MD5 Global Configuration feature, you needed to configure a separate password for each LDP peer for which you wanted MD5 protection. This was the case even when the same password was used for multiple LDP peers. Before this feature, LDP would tear down LDP sessions with a peer immediately if a password for that peer had changed.
Before the introduction of the MPLS--LDP MD5 Global Configuration feature, the command used for configuring a password for an LDP neighbor was mpls ldp neighbor [vrf vrf-name] ip-address password [0 | 7] password. This command configures a password for one neighbor whose router ID is the IP address in the specified VRF. An LSR can have zero or one such configuration for each LDP neighbor.
You can use the commands provided by the MPLS--LDP MD5 Global Configuration feature to configure passwords for LDP neighbors.
You must understand how LDP determines the password for an LDP session between peers before you configure MD5 password protection for your network. LDP determines the passwords for its sessions based on the commands that you enter.
You can enter an mpls ldp password vrf vrf-name required [for acl] command, either with an optional acl argument that permits the LDP router ID of the neighbor or without an acl argument. Make sure that you enter a command that configures a password. Otherwise, LDP might not establish a session with the neighbor in question.
For the commands in the following password-determining process, A.B.C.D:N represents the LDP neighbor in VRF vpn1 and the neighbor LDP ID:
To determine the password for an LDP session for the neighbor label space A.B.C.D:N , LDP looks at the password commands in the order indicated by the following statements:
mpls ldp neighbor vrf vpn1 A.B.C.D password pwd-nbr
The LDP session password is pwd-nbr. LDP looks no further and uses the password you specify.
mpls ldp vrf vpn1 password option number-1st for acl-1st pwd-1st
LDP compares the peer router ID of the neighbor (A.B.C.D) with this command. If A.B.C.D is permitted by the command access list acl-1st , the session password is the command password, that is, pwd-1st .
If A.B.C.D is not permitted by acl-1st , LDP looks at the command with the next ascending number argument (number-2nd ):
mpls ldp vrf vpn1 password option number-2nd for acl-2nd pwd-2nd
If A.B.C.D is permitted by the command access list acl-2nd, the session password is pwd-2nd.
If A.B.C.D is not permitted by the access list acl-2nd, LDP continues checking A.B.C.D against access lists until LDP:
mpls ldp password vrf vpn1 fallback pwd-fback
If you configured this command, the session password is pwd-fback.
The MPLS--LDP MD5 Global Configuration feature introduces commands that can establish password protection for LDP sessions between LDP neighbors or peers. These commands can apply to routes in the global routing table or in a VRF.
By default, if the vrf keyword is not specified in the command, the command applies to the global routing table. The following sample commands would apply to routes in the global routing table:
Router# mpls ldp password required Router# mpls ldp password option 15 for 99 pwd-acl Router# mpls ldp password fallback pwd-fbck
You can configure LDP MD5 password protection for routes in a VRF only when the VRF is configured on the LSR. If you specify a VRF name and a VRF with that name is not configured on the LSR, LDP prints out a warning and discards the command. If you remove a VRF, LDP deletes the password configuration for that VRF. The following sample commands would apply to routes in a VRF, for example, VRF vpn1:
Router# mpls ldp vrf vpn1 password required Router# mpls ldp vrf vpn1 password option 15 for 99 pwd-acl Router# mpls ldp vrf vpn1 password fallback pwd-flbk
You might require password protection for a certain set of neighbors for security reasons (for example, to prevent LDP sessions being established with unauthorized peers, or to block spoofed TCP messages). To enforce this security, you can configure a password requirement for LDP sessions with those neighbors that must have MD5 protection (TCP session uses a password).
If you configure a password requirement for a neighbor and you did not configure a password for the neighbor, LDP tears down the LDP sessions with the neighbor. LDP also tears down the LDP sessions with the neighbor if you configured a password requirement and a password and the password is not used in the LDP sessions.
If a password is required for a neighbor and the LDP sessions with the neighbor are established to use a password, any configuration that removes the password for the neighbor causes the LDP sessions to be torn down.
To avoid unnecessary LDP session flapping, you should perform the task as described in this section and use caution when you change LDP passwords.
Perform the following task to identify LDP neighbors for LDP MD5 password protection.
Before you start to configure passwords for LDP sessions, you must identify neighbors or groups of peers for which you want to provide MD5 protection. For example:
Before you start to configure passwords for LDP sessions, you must identify neighbors or groups of peers for which you want to provide LDP MD5 password protection. This task uses the network in the figure below to show how you might identify LDP neighbors for LDP MD5 protection.
After you identify LDP neighbors or a group of peers for LDP MD5 protection, you must decide if password protection is mandatory and what password commands to use for each peer.
This section contains information about and instructions for configuring an LDP MD5 password for LDP sessions. You configure an LDP MD5 password to protect your routers from unwanted LDP sessions and provide LDP session security. You can provide LDP session security for a specific neighbor, or for LDP peers from a specific VRF or from the global routing table, or for a specific set of LDP neighbors.
After you have identified the LDP neighbor, LDP neighbors, or LDP peers in your network for which you want LDP MD5 password protection, perform the following procedures, as you require, to configure an LDP MD5 password for LDP sessions:
Perform the following task to configure an LDP MD5 password for a specified neighbor.
LDP looks first for a password between the router and neighbor that is configured with the mpls ldp neighbor [vrf vrf-name] ip-address password pwd-string command. If a password is configured with this command, LDP uses that password before checking passwords configured by other commands.
You must add a configuration command for each neighbor or peer for which you want password protection.
Identify the LDP neighbor or peer for which you want MD5 password protection.
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# mpls ldp neighbor vrf vpn1 10.1.1.1 password nbrce1pwd |
Configures a password key for computing MD5 checksums for the session TCP connection with the specified neighbor.
|
|
Example: Router(config)# end |
Exits to privileged EXEC mode. |
|
Example: Router# show mpls ldp neighbor vrf vpn1 detail |
Displays the status of LDP sessions.
|
|
Example: Router# show mpls ldp neighbor vrf vpn1 password |
Displays password information used in established LDP sessions.
If you do not specify an optional keyword for this command, password information for all established LDP sessions is displayed. |
|
Example: Router# show mpls ldp discovery vrf vpn1 detail |
Displays the status of the LDP discovery process.
|
Perform the following task to configure an LDP MD5 password for LDP sessions with peers from a specified VRF. You can also use this task to configure an LDP MD5 password for LDP sessions with peers from the global routing table.
This task provides you with LDP session protection with peers from a particular VRF or the global routing table. If you want a password requirement, you can use the mpls ldp password required command.
If only LDP sessions with a set of LDP neighbors need MD5 protection, configure a standard IP access list that permits the desired set of LDP neighbors and denies the rest. See the Configuring an LDP MD5 Password for LDP Sessions with a Selected Group of Peers.
Identify LDP peers for which you want MD5 password protection.
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# mpls ldp vrf vpn1 password fallback 0 vrfpwdvppn1 Example: |
Configures an MD5 password for LDP sessions with peers.
The example sets up an MD5 password for a VRF. |
|
Example: Router(config)# mpls ldp vrf vpn1 password required |
Specifies that LDP must use a password when establishing a session between LDP peers.
|
|
Example: Router(config)# end |
Exits to privileged EXEC mode. |
|
Example: Router# show mpls ldp discovery detail |
Displays the status of the LDP discovery process.
Use this command to verify that password configuration is correct for all LDP neighbors. |
Perform the following task to configure an LDP MD5 password for LDP sessions with a selected group of peers.
If only LDP sessions with a selected group of peers need MD5 protection, configure a standard IP access list that permits sessions with the desired group of peers (identified by LDP router IDs) and denies session with the rest. Configuring a password and password requirement for these neighbors or peers provides security by preventing LDP sessions from being established with unauthorized peers.
Identify the groups of peers for which you want MD5 password protection and define an access list that permits LDP sessions with the group of peers you require.
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# mpls ldp password option 25 for 10 aclpwdfor10 |
Configures an MD5 password for LDP sessions with neighbors whose LDP router IDs are permitted by a specified access list.
|
|
Example: Router(config)# mpls ldp password required for 10 |
Specifies that LDP must use a password when establishing a session between LDP peers.
|
|
Example: Router(config)# end |
Exits to privileged EXEC mode. |
|
Example: Router# show mpls ldp discovery detail |
Displays the status of the LDP discovery process.
Use this command to verify password configuration is correct for all LDP neighbors. |
Perform the following task to verify that the LDP MD5 secure sessions are as you configured for all LDP neighbors.
Step 1 |
enable Use this command to enable privileged EXEC mode. Enter your password if prompted. For example: Example:
Router> enable
Router#
|
Step 2 |
show mpls ldp discovery detail Use this command to verify that the LDP MD5 password information is as you configured for each neighbor. For example: Example:
Router# show mpls ldp discovery detail
Local LDP Identifier:
10.1.1.1:0
Discovery Sources:
Interfaces:
Ethernet1/0 (ldp): xmit/recv
Hello interval: 5000 ms; Transport IP addr: 10.1.1.1
LDP Id: 10.4.4.4:0
Src IP addr: 10.0.20.4; Transport IP addr: 10.4.4.4
Hold time: 15 sec; Proposed local/peer: 15/15 sec
Password: not required, none, stale
Targeted Hellos:
10.1.1.1 -> 10.3.3.3 (ldp): passive, xmit/recv
Hello interval: 10000 ms; Transport IP addr: 10.1.1.1
LDP Id: 10.3.3.3:0
Src IP addr: 10.3.3.3; Transport IP addr: 10.3.3.3
Hold time: 90 sec; Proposed local/peer: 90/90 sec
Password: required, neighbor, in use
The Password field might display any of the following for the status of the password:
Look at the output of the command to verify your configuration.
|
Step 3 |
show mpls ldp neighbor detail Use this command to verify that the password information for a neighbor is as you configured. For example: Example:
Router# show mpls ldp neighbor detail
Peer LDP Ident: 10.3.3.3:0; Local LDP Ident 10.1.1.1:0
TCP connection: 10.3.3.3.11018 - 10.1.1.1.646
Password: required, neighbor, in use
State: Oper; Msgs sent/rcvd: 167/167; Downstream; Last TIB rev sent 9
Up time: 02:24:02; UID: 5; Peer Id 3;
LDP discovery sources:
Targeted Hello 10.1.1.1 -> 10.3.3.3, passive;
holdtime: 90000 ms, hello interval: 10000 ms
Addresses bound to peer LDP Ident:
10.3.3.3 10.0.30.3
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
Peer LDP Ident: 10.4.4.4:0; Local LDP Ident 10.1.1.1:0
TCP connection: 10.4.4.4.11017 - 10.1.1.1.646
Password: not required, none, stale
State: Oper; Msgs sent/rcvd: 9/9; Downstream; Last TIB rev sent 9
Up time: 00:05:35; UID: 6; Peer Id 1;
LDP discovery sources:
Ethernet1/0; Src IP addr: 10.0.20.4
holdtime: 15000 ms, hello interval: 5000 ms
Addresses bound to peer LDP Ident:
10.0.40.4 10.4.4.4 10.0.20.4
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
|
Step 4 |
show mpls ldp neighbor password [pending | current] Use this command to verify that LDP sessions are using the password configuration that you expect, either the same as or different from that in the current configuration. The pending keyword displays information for LDP sessions whose password is different from that in the current configuration. The current keyword displays information for LDP sessions whose password is the same as that in the current configuration. For example: Example: Router# show mpls ldp neighbor password Peer LDP Ident: 10.4.4.4:0; Local LDP Ident 10.1.1.1:0 TCP connection: 10.4.4.4.11017 - 10.1.1.1.646 Password: not required, none, stale State: Oper; Msgs sent/rcvd: 57/57 Peer LDP Ident: 10.3.3.3:0; Local LDP Ident 10.1.1.1:0 TCP connection: 10.3.3.3.11018 - 10.1.1.1.646 Password: required, neighbor, in use State: Oper; Msgs sent/rcvd: 216/215 Router# show mpls ldp neighbor password pending Peer LDP Ident: 10.4.4.4:0; Local LDP Ident 10.1.1.1:0 TCP connection: 10.4.4.4.11017 - 10.1.1.1.646 Password: not required, none, stale State: Oper; Msgs sent/rcvd: 57/57 Router# show mpls ldp neighbor password current Peer LDP Ident: 10.3.3.3:0; Local LDP Ident 10.1.1.1:0 TCP connection: 10.3.3.3.11018 - 10.1.1.1.646 Password: required, neighbor, in use State: Oper; Msgs sent/rcvd: 216/215 This command displays password information used in established LDP sessions. If you do not enter an optional pending or current keyword for the command, password information for all established LDP sessions is displayed. |
Step 5 |
exit Use this command to exit to user EXEC mode. For example: Example:
Router# exit
Router>
|
The section contains the following examples for configuring an LDP MD5 password for LDP sessions:
The following example shows how to configure an LDP MD5 password for LDP sessions for a specified neighbor:
enable configure terminal mpls ldp vrf vpn1 10.1.1.1 password nbrscrtpwd end
This sets up nbrscrtpwd as the password to use for LDP sessions for the neighbor whose LDP router ID is 10.1.1.1. Communication with this neighbor is through VRF vpn1.
The following example shows how to configure an LDP MD5 password for LDP sessions with peers from a specified VRF. The password vrfpwdvpn1 is configured for use with LDP peers that communicate using VRF vpn1. A password is required; otherwise, LDP tears down the session.
enable configure terminal mpls ldp vrf vpn1 password fallback vrfpwdvpn1 mpls ldp vrf vpn1 password required end
The following example shows how to configure a password that is used for sessions for peers that communicate using the global routing table:
enable configure terminal mpls ldp password fallback vrfpwdvppn1 end
The following example shows how to configure an LDP MD5 password for LDP sessions with a selected group of peers. The required password aclpwdfor10 is configured for access list 10. Only those LDP router IDs permitted in access list 10 are required to use the password.
enable configure terminal mpls ldp password option 25 for 10 aclpwdfor10 mpls ldp password required for 10 end
Access list 10 might look something like this:
enable configure terminal access-list 10 permit 10.1.1.1 access-list 10 permit 10.3.3.3 access-list 10 permit 10.4.4.4 access-list 10 permit 10.1.1.1 access-list 10 permit 10.2.2.2 end
The following sections provide references related to the MPLS--LDP MD5 Global Configuration feature.
Related Topic |
Document Title |
---|---|
Configuration tasks for LDP |
MPLS LDP MD5 Global Configuration |
Standard |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFC |
Title |
---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
-- |
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for MPLS--LDP MD5 Global Configuration |
Feature Name |
Releases |
Feature Information |
---|---|---|
MPLS-LDP MD5 Global Configuration |
12.2(28)SB 12.0(32)SY 12.2(33)SRB 12.4(20)T |
The MPLS--LDP MD5 Global Configuration feature provides enhancements to the Label Distribution Protocol (LDP) implementation of the Message Digest 5 (MD5) password. This feature allows you to enable LDP MD5 globally instead of on a per-peer basis. Using this feature you can set up password requirements for a set of LDP neighbors to help prevent unauthorized peers from establishing LDP sessions and to block spoofed TCP messages. In 12.2(28)SB, this feature was introduced. In 12.0(32)SY, this feature was integrated into Cisco IOS Release 12.0(32)SY. This feature was integrated into Cisco IOS Release 12.2(33)SRB. This feature was integrated into Cisco IOS Release 12.4(20)T. |
|
|
The following commands were modified by this feature: mpls ldp password fallback, mpls ldp password option, mpls ldp password required, show mpls ldp discovery, show mpls ldp neighbor, show mpls ldp neighbor password. |
BGP --Border Gateway Protocol. An interdomain routing protocol that replaces External Gateway Protocol (EGP). BGP systems exchange reachability information with other BGP systems. BGP is defined by RFC 1163.
EGP --Exterior Gateway Protocol. An internet protocol for exchanging routing information between autonomous systems. EGP is documented in RFC 904. EGP is not to be confused with the general term exterior gateway protocol. EGP is an obsolete protocol that was replaced by Border Gateway Protocol (BGP).
CE router--customer edge router. A router that is part of a customer network and that interfaces to a provider edge (PE) router.
CSC --Carrier Supporting Carrier. A situation where one service provider allows another service provider to use a segment of its backbone network. The service provider that provides the segment of the backbone network to the other provider is called the backbone carrier. The service provider that uses the segment of the backbone network is called the customer carrier.
LDP --Label Distribution Protocol. A standard protocol between Multiprotocol Label Switching (MPLS)-enabled routers that is uses in the negotiation of the labels used to forward packets. The Cisco proprietary version of this protocol is the Tag Distribution Protocol (TDP).
LDP peer--A label switch router (LSR) that is the receiver of label space information from another LSR. If an LSR has a label space to advertise to another LSR, or to multiple LSRs, one Label Distribution Protocol (LDP) session exists for each LSR (LDP peer) receiving the label space information.
MD5 --Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. SNMP v.2 uses MD5 for message authentication, to verify the integrity of the communication, to authenticate the message origin, and to check its timeliness.
MPLS --Multiprotocol Label Switching. A switching method that forwards IP traffic through use of labels. Each label instructs the routers and the switches in the network where to forward a packet based on preestablished IP routing information.
PE router--provider edge router. A router that is part of a service provider's network connected to a customer edge (CE) router. All Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) processing occurs in the PE router.
VPN --Virtual Private Network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic forwarded from one network to another. A VPN uses tunneling to encrypt all information at the IP level.
VRF --A VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.