LDP security

LDP is a critical service for the internet infrastructure. Security aspects for LDP are important.

LDP Neighbor Security

In order to avoid peering with unexpected neighbors, it is possible to configure a password on both sides. A TCP MD5 digest is then calculated, thus preventing to create a peering with a misconfigured peer.

vrf main
  routing mpls ldp
    router-id 10.10.10.10
    neighbor 5.5.5.5 password secret_phrase
    address-family ipv4
      discovery transport-address 10.10.10.10
      interface eth0_0
        ..
      ..
      ..
  ..
  ..
  ..

LDP TTL security

RFC 6720 stipulates that only nodes from connected links are considered as accepted, when it comes to LDP peering with basic discovery mode. This is where ttl-security acts, since it ensures that the node is really connected, by not only looking up the ttl value, but also appending some values on the LDP options. It is however possible to disable that security check in some cases, for instance, to keep compatibility with old RFC 5082. To disable ttl-security checking, use the following command:

vrf main
  mpls ldp
    router-id 10.10.10.10
    neighbor 5.5.5.5 ttl-security disable true
    address-family ipv4
      discovery transport-address 10.10.10.10
      interface eth0_0
        ..
      ..
      ..
  ..
  ..
  ..

LDP filtering

There are some set of commands that permit filtering the LDP behavior, either by filtering incoming requests or filtering outgoing requests. For instance, it is possible to accept incoming ipv4 or ipv6 incoming, by filtering based on the remote LDP peer.Below configuration illustrates this:

vrf main
  routing mpls ldp
    router-id 10.10.10.10
    address-family ipv4
      discovery transport-address 10.10.10.10
      interface eth0_0
        ..
      label remote accept from 11
      ..
      ..
  ..
  ..
  ..
..
routing
  ipv4-access-list 11 permit 10.10.10.10/32

It is also possible to apply filtering on incoming requests, based on the incoming destination prefixes, like suggests below configuration with an incoming prefix 4.4.4.0/24.

vrf main
  routing mpls ldp
    router-id 10.10.10.10
    address-family ipv4
      discovery transport-address 10.10.10.10
      interface eth0_0
        ..
      label remote accept for 12
      ..
      ..
  ..
  ..
  ..
..
routing
  ipv4-access-list 12 permit 4.4.4.0/24

It is also possible to apply filtering on the allocated labels. Locally, a label may be allocated only for host routes, thus sparing labels.

vrf main
  routing mpls ldp
    router-id 10.10.10.10
    address-family ipv4
      discovery transport-address 10.10.10.10
      interface eth0_0
        ..
      label local allocate host-routes
      ..
      ..
  ..
  ..
  ..
..

Adding to this, if it is not enough, it is also possible to control the allocation of labels by explicitly listing the destination prefixes that should gain a binding.

vrf main
  routing mpls ldp
    router-id 10.10.10.10
    address-family ipv4
      discovery transport-address 10.10.10.10
      interface eth1_0
        ..
      interface eth0_0
        ..
      label local allocate for 13
      ..
      ..
  ..
  ..
  ..
..
routing
  ipv4-access-list 13 permit 2.2.2.0/24

Finally, it is possible to do outgoing filtering, by selecting which peer or which destination prefix deserves to be sent or not. Like below example suggests, only the destination prefix 4.4.4.0/24 will only be sent to peer 5.5.5.5.

vrf main
  routing mpls ldp
    router-id 10.10.10.10
    address-family ipv4
      discovery transport-address 10.10.10.10
      interface eth0_0
        ..
      label local advertise to 14 for 15
      ..
      ..
  ..
  ..
  ..
..
routing
  ipv4-access-list 14 permit 5.5.5.5/32
  ipv4-access-list 15 permit 4.4.4.0/24