By default, when the route of the network is changed, if an edge node (Egress) finds that a new host route appears in its routing table, and this route does not belong to any existing FEC, the edge node needs to be This route establishes a new FEC.
If the Egress of the MPLS network has labels available for allocation, it allocates labels for FEC and actively sends a label mapping message upstream. The label mapping message contains information such as the assigned label and the bound FEC.
After receiving the label mapping message, Transit determines whether the sender (Egress) of the label mapping is the next hop of the FEC. If it is, it adds a corresponding entry in its label forwarding table, and then actively sends a label mapping message for the designated FEC to the upstream LSR.
After receiving the label mapping message, the Ingress judges whether the sender (Transit) of the label mapping is the next hop of the FEC. If yes, add a corresponding entry in the label forwarding table. At this time, the establishment of the LSP is completed, and then the data message corresponding to the FEC can be labeled and forwarded.
The above is the establishment of ordinary LDP LSP, and there is also a proxy Egress LSP. Proxy Egress (Proxy Egress) is an Egress node that can trigger the establishment of LSPs for non-local routes. When the router enables the penultimate hop pop-up, the penultimate hop node is actually a special proxy Egress. In general, the proxy Egress is generated by configuration. The proxy Egress can be applied to the scenario where there are routers in the network that do not support the MPLS feature, and can also be used to solve the problem of BGP routing load sharing.
In order to improve the security of LDP packets, MPLS provides three protection mechanisms: LDP MD5 authentication, LDP Keychain authentication, and LDP GTSM.
LDP Keychain authentication is a more secure encryption authentication than LDP MD5 authentication. For the same neighbor, only one encryption authentication can be selected; and LDP GTSM is used to prevent the device from being attacked by illegal LDP packets. It can be used in conjunction with the previous two.
MD5 (Message-Digest Algorithm 5) is an international standard digest cipher algorithm defined by RFC1321. The typical application of MD5 is to calculate the corresponding information summary for a piece of information, so as to prevent the information from being tampered with. The MD5 message digest is generated by an irreversible string transformation algorithm, and the result is unique. Therefore, regardless of any form of change in the information content during the transmission process, a different information digest will be generated as long as it is recalculated, and the receiving end can determine that the received message is an incorrect message.
LDP MD5 uses its feature of generating unique summary information for the same information segment to achieve tamper-proof verification of LDP messages, which is more stringent than TCP checksums in a general sense. The realization process is as follows:
Before the LDP session message is sent via TCP, a unique information digest will be filled behind the TCP header before being sent. And this information digest is calculated by MD5 algorithm using the TCP header, LDP session message, and password set by the user as the original information.
When the receiving end receives this TCP message, it will first obtain the TCP header, message digest, and LDP session message of the message, and combine the TCP header, LDP session message and the locally stored password, use MD5 to calculate the message digest, and then compare it with The information summary carried in the message is compared to check whether the message has been tampered with.
Keychain is an enhanced encryption algorithm, similar to MD5, Keychain also calculates the corresponding information digest for the same piece of information to achieve tamper-proof verification of LDP packets.
Keychain allows users to define a set of passwords to form a password string, and respectively specify encryption and decryption algorithms (including MD5, SHA-1, etc.) and the effective time of the password for each password. When sending and receiving messages, the system will select a currently valid password according to the user's configuration, and according to the encryption and decryption algorithm that matches this password and the validity time of the password, it will encrypt the message when sending and decrypt the message when receiving. In addition, the system can automatically complete the switch of valid passwords according to the valid time of the password, avoiding the problem of easy password cracking caused by not changing the password for a long time.
The keychain password, the encryption and decryption algorithm used, and the effective time of the password can be configured separately to form a Keychain configuration node. Each Keychain configuration node needs to configure at least one password and specify the encryption and decryption algorithm.
The Generalized TTL Security Mechanism (GTSM) is a mechanism that protects IP services by checking whether the TTL value in the IP header is within a predefined range. Two prerequisites for using GTSM:
Determine the TTL value of normal packets between devices
The TTL value of the message is difficult to be modified
LDP GTSM is a specific application of GTSM in LDP.
GTSM determines whether the message is valid by judging the TTL value of the message, thereby protecting the device from attacks. LDP GTSM applies this mechanism to LDP messages between adjacent or similar devices (based on the principle of determining the number of hops). The user sets the effective range of packets for other devices on each device in advance, and enables GTSM, so that when LDP is applied between the corresponding devices, if the TTL of the LDP message does not meet the previously set range requirements, the device will consider it This message is discarded as an illegal attack message, thereby realizing the protection of the upper layer protocol.
LDP cross-domain extension enables LDP to find routes based on the longest match principle, so that LDP can establish LDP LSPs that span multiple IGP areas based on the aggregated routes.
When the network scale is relatively large, it is usually necessary to deploy multiple IGP areas to achieve flexible deployment and rapid convergence. In this case, when routing advertisements between IGP areas, in order to avoid excessive resource occupation caused by the large number of routes, the area border router (ABR) needs to aggregate the routes within the area and then advertise them to the adjacent IGP area. . However, when LDP establishes an LSP, it searches the routing table for a route that exactly matches the FEC carried in the received label mapping message. For aggregated routes, LDP can only establish a Liberal LSP, and cannot establish an LDP LSP that spans the IGP area. . Therefore, LDP cross-domain extension is introduced to solve this problem.
Note: An LSP that has been assigned a label but has not been successfully established is called a Liberal LSP.
There are two IGP areas Area10 and Area20. In the routing table of LSR_2 at the edge of Area10, there are two host routes to LSR_3 and LSR_4. In order to avoid excessive resource occupation caused by the large number of routes, the two routes are aggregated through the ISIS routing protocol on LSR_2 Send to Area20 as 1.3.0.0/24.
When LDP establishes an LSP, it searches the routing table for a route that exactly matches the FEC carried in the received label mapping message. There is only this aggregated route in the routing table of LSR_1, and there is no 32-bit host route.
For aggregated routes, LDP can only establish Liberal LSPs, and cannot establish LDP LSPs that span IGP areas, so that it cannot provide the necessary backbone network tunnels.
Therefore, it is necessary to find a route in the longest matching mode to establish an LSP on LSR_1. In the routing table of LSR_1, aggregated route 1.3.0.0/24 already exists. When LSR_1 receives the label mapping message of Area10 (for example, the FEC carried is 1.3.0.1/32), according to the longest matching search method, LSR_1 can find the information of the aggregated route 1.3.0.0/24, and put the route out The interface and next hop serve as the outgoing interface and next hop to FEC 1.3.0.1/32. In this way, LDP can establish an LDP LSP that spans the IGP area.
LDP is a protocol used to establish LDP sessions between LSRs and exchange Label/FEC mapping information.
LDP uses UDP (protocol ID=17) to discover neighbors, and uses TCP (protocol ID=6) to establish adjacencies (the destination port number of the LDP protocol: 646)
The LDP protocol sends hello messages to the multicast group of 224.0.0.2 (all routers that enable the multicast function) to discover LDP neighbors on the directly connected links.
The LDP hello packet sending interval is 5s, and the hold time is 3 times the hello time 15s.
The LDP keepalive packet sending interval is 15s, and the old timer is 3 times the keepalive time of 45s.
LDP loop detection mechanism:
The LDP routing vector method and the maximum hop count method are implemented by two types of TLVs: Path Vector TLV and Hop Count TLV. If two types of user methods are configured to detect loops, then both label request messages (Label Requset Message) and label mapping messages (Label Mapping MEssage) will carry two TLvs.
Distance vector method: Each LSR includes a Path Vector TLV in the label request message (label mapping message), and the route length value generated by the ingress (egress) LSR is 1, and its own LSR ID is added to the TLV list In the label request message (label mapping message), the length value of each hop is increased by 1, if the receiving end LSR receives the label request message (label mapping message), it finds that the length value reaches the preset maximum value or finds the LSR ID list It has its own LSR ID, thinks that a loop has occurred, sends a notification message, and refuses to establish an LSP.
LDP: Labels can be assigned to direct, static, and IGP routes.
RSVR-TE: Reserve resources and assign labels for TE.
MPBGP: You can assign labels to private network routes.
BGP: Labels can be assigned to BGP routes.
Forwarding Equivalence Class (FEC) is a collection of data streams with certain commonalities. These data streams are sent out in the same way by the LSR during the forwarding process.
FEC can be divided according to factors such as geology, business type, and QoS. For example, in traditional IP forwarding using the most common matching algorithm, all packets to the same route are a forwarding equivalence class.