Friends who are preparing for the Huawei certification exam should know that in addition to theoretical knowledge, it is also very important to brush up questions. Zhou Gong has a copy of the latest HCIA+HCIP-Datacom question bank with analysis. Just like + leave a message to get it.
LDP protocol
Security Policy Introduction
-
LDP MD5 authentication
MD5 is called Message-Digest Algorithm 5, which is an international standard digest encryption algorithm. A typical application of MD5 is to calculate the corresponding information digest for a piece of information, so as to prevent the information from being tampered with. The MD5 message digest is generated through an irreversible string transformation algorithm, and the result is unique. Therefore, regardless of any form of change in the information content during transmission, as long as the recalculation will produce a different information digest, the receiver can determine that the received message is an incorrect message.
LDP MD5 uses its feature of generating unique summary information for the same information segment to realize the anti-tampering check of LDP packets, which is stricter than the general TCP checksum.
LDP MD5 verification is performed before TCP sends out: before the LDP message is sent out via TCP, a unique information digest will be filled behind the TCP header before sending out. The information digest is calculated by using the TCP header, LDP message, and the password set by the user as the original information through the MD5 algorithm.
When the receiving end receives this TCP message, it will first obtain the TCP header, information digest, and LDP message of the message, and combine the TCP header, LDP message and the password stored locally, use MD5 to calculate the information digest, and then combine it with the message The carried information summary is compared to check whether the message has been tampered with.
When the user sets the password, there are two options: plaintext and ciphertext. Here, the plaintext and ciphertext refer to the record form of the password set by the user in the configuration file. The plain text is the character string set by the user directly recorded in the configuration file, and the cipher text is the character string encrypted by a special algorithm recorded in the configuration file.
However, no matter whether the user chooses the password record form as plaintext or ciphertext, the character string entered by the user is directly used when participating in the digest calculation.
-
LDP Keychain Authentication
Keychain is an enhanced encryption algorithm, similar to MD5. Keychain also calculates the corresponding information digest for the same piece of information, and realizes the anti-tampering verification of LDP messages.
Keychain allows users to define a group of passwords to form a password string, and specify encryption and decryption algorithms (including MD5, SHA-1, etc.) and valid time for each password for each password. When sending and receiving messages, the system will select a currently valid password according to the user's configuration, and encrypt the message when sending and decrypt the message when receiving according to the encryption and decryption algorithm that matches the password and the valid time of the password. In addition, the system can automatically complete the switching of valid passwords according to the valid time of password use, avoiding the problem of easy password cracking caused by not changing the password for a long time.
The Keychain password, the encryption and decryption algorithm used, and the valid time of the password can be configured separately to form a Keychain configuration node. Each Keychain configuration node needs to configure at least one password and specify the encryption and decryption algorithm.
After the configuration of the Keychain node is complete, in the global MPLS LDP view, specify the peer that needs to refer to the Keychain node and the name of the Keychain node, and refer to the Keychain to realize the encryption of the LDP session. Different peers can refer to the same Keychain configuration node.
-
LDP GTSM Features
LDP GTSM is the specific application of GTSM in LDP.
GTSM determines whether the packet is valid by judging the TTL value of the packet, thereby protecting the device from attacks. GTSM For LDP is to apply this mechanism to the LDP messages between adjacent or similar devices (based on the principle that only the hop count is determined). GTSM, so that when LDP is applied between corresponding devices, if the TTL of the LDP message message does not meet the previously set range requirements, the message will be considered as an illegal attack message and discarded, thereby realizing the protection of the upper layer protocol.
Attack method introduction
none
Configuration and Maintenance Guide
-
Configuring LDP MD5 Authentication
Configuring LDP authentication can improve the security of LDP session connections. It needs to be configured on the LSRs at both ends of the session.
To improve the security of LDP session connections, you can configure MD5 authentication for the TCP connections used by LDP. Two peers in an LDP session can be configured with different authentication methods, but the passwords must be the same.
LDP MD5 uses its characteristic of generating unique summary information for the same information segment to realize anti-tampering verification of LDP packets, which is stricter than TCP verification in the general sense.
You can choose to configure LDP MD5 authentication or LDP Keychain authentication according to different requirements.
The MD5 algorithm is simple to configure. After configuration, a single password is generated. Human intervention is required to switch passwords. It is suitable for networks that require short-term encryption.
Keychain has a set of passwords, which can be automatically switched according to the configuration, but the configuration process is relatively complicated, and it is suitable for networks with relatively high security performance requirements.
For the same neighbor, after Keychain authentication is configured, MD5 authentication cannot be configured; similarly, Keychain authentication cannot be configured after MD5 authentication is configured.
-
Run the system-view command to enter the system view.
-
Run the mpls ldp command to enter the MPLS-LDP view.
-
Run the md5-password { plain | cipher } peer-lsr-id password command to enable MD5 authentication and configure an authentication password.
When the user configures the authentication password, there are two options: plaintext and ciphertext. Here, the plaintext and ciphertext refer to the record form of the authentication password set by the user in the configuration file. The plaintext is to directly record the string set by the user, and the ciphertext is to record the string encrypted by a special algorithm.
By default, MD5 authentication is not performed between LDP peers.
Configuring LDP MD5 authentication will cause the LDP session to be reestablished, and the LSP related to the original session will be deleted.
If the plain option is used, the password will be saved in the configuration file in plain text, and users who log in at a low level can obtain the password by viewing the configuration method, causing potential security risks. Therefore, it is recommended to use the cipher option to store the password encrypted.
-
-
Configuring LDP Keychain Authentication
To improve the security of LDP session connections, you can configure Keychain authentication for the TCP connections used by LDP.
Keychain allows users to define a group of passwords to form a password string, and specify encryption and decryption algorithms (including MD5, SHA-1, etc.) and valid time for each password for each password. When sending and receiving messages, the system will select a currently valid password according to the user's configuration, and encrypt the message when sending and decrypt the message when receiving according to the encryption and decryption algorithm that matches the password and the valid time of the password. In addition, the system can automatically complete the switching of valid passwords according to the valid time of password use, avoiding the problem of easy password cracking caused by not changing the password for a long time.
You can choose to configure LDP MD5 authentication or LDP Keychain authentication according to different requirements.
The MD5 algorithm is simple to configure. After configuration, a single password is generated. Human intervention is required to switch passwords. It is suitable for networks that require short-term encryption.
Keychain has a set of passwords, which can be automatically switched according to the configuration, but the configuration process is relatively complicated, and it is suitable for networks with relatively high security performance requirements.
For the same neighbor, after Keychain authentication is configured, MD5 authentication cannot be configured; similarly, Keychain authentication cannot be configured after MD5 authentication is configured.
Before configuring LDP keychain authentication, first configure the global keychain.
-
Run the system-view command to enter the system view.
-
Run the mpls ldp command to enter the MPLS-LDP view.
-
Run the authentication key-chain peer peer-id name keychain-name command to enable LDP keychain authentication and refer to the configured keychain name.
By default, LDP keychain authentication is not performed between LDP peers.
Configuring LDP keychain authentication will cause the LDP session to be reestablished, and the LSP related to the original session will be deleted.
-
-
Configuring the LDP GTSM Function
To configure LDP GTSM, related configurations need to be performed on the two LDP peer nodes.
Generalized TTL Security Mechanism GTSM (Generalized TTL Security Mechanism) determines whether the packet is valid by judging the TTL value of the packet, thereby protecting the device from attacks. Configure the GTSM function on LDP peers, and perform TTL detection on LDP messages between LDP peers based on the configured TTL valid range. If the TTL of the LDP message does not meet the configured range requirements, consider the message as an illegal attack message and discard it, so as to prevent the CPU utilization rate from being too high due to the processing of the message when the LDP protocol receives a large number of spoofed messages. attack, and then realize the protection of the upper layer protocol.
-
Run the system-view command to enter the system view.
-
Run the mpls ldp command to enter the MPLS LDP view.
-
Run the gtsm peer ip-address valid-ttl-hops hops command to configure the LDP GTSM function.
If hops is set to the maximum effective hops allowed by the GTSM function, when the TTL value of the message sent by the LDP peer is within the range of [255–hops+1, 255], the message will be received, otherwise the message will be discarded .
-