- MPLS Label Distribution Protocol (LDP)
- MPLS LDP - Local Label Allocation Filtering
- MPLS LDP Autoconfiguration
- MPLS LDP-IGP Synchronization
- MPLS LDP Session Protection
- MPLS LDP Inbound Label Binding Filtering
- MPLS LDP - Lossless MD5 Session Authentication
- MPLS�LDP MD5 Global Configuration
- MPLS LDP--VRF-Aware Static Labels
- Contents
- Prerequisites for MPLS LDP—Lossless MD5 Session Authentication
- Restrictions for MPLS LDP—Lossless MD5 Session Authentication
- Information About MPLS LDP—Lossless MD5 Session Authentication
- How MPLS LDP Messages in MPLS LDP—Lossless MD5 Session Authentication are Exchanged
- The Evolution of MPLS LDP MD5 Password Features
- Keychains Use with MPLS LDP—Lossless MD5 Session Authentication
- Application of Rules to Overlapping Passwords
- Password Rollover Period Guidelines
- Resolving LDP Password Problems
- How to Configure MPLS LDP—Lossless MD5 Session Authentication
- Configuration Examples for MPLS LDP—Lossless MD5 Session Authentication
- Configuring MPLS LDP—Lossless MD5 Session Authentication Using a Keychain (Symmetrical): Example
- Configuring MPLS LDP—Lossless MD5 Session Authentication Using a Keychain (Asymmetrical): Example
- Changing MPLS LDP—Lossless MD5 Session Authentication Password: Example
- Changing MPLS LDP—Lossless MD5 Session Authentication Password Using a Rollover Without Keychain: Example
- Changing MPLS LDP—Lossless MD5 Session Authentication Password Using a Rollover with a Keychain: Example
- Changing MPLS LDP—Lossless MD5 Session Authentication Password Using a Fallback Password With a Keychain: Example
- Changing MPLS LDP—Lossless MD5 Session Authentication: Common Misconfiguration Examples
- Changing MPLS LDP—Lossless MD5 Session Authentication Using a Second Key to Avoid LDP Session Failure: Examples
MPLS LDP—Lossless MD5 Session Authentication
Last Updated: July 11, 2008
The MPLS LDP—Lossless MD5 Session Authentication feature enables a Label Distribution Protocol (LDP) session to be password-protected without tearing down and reestablishing the LDP session.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for MPLS LDP—Lossless MD5 Session Authentication" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for MPLS LDP—Lossless MD5 Session Authentication
•Restrictions for MPLS LDP—Lossless MD5 Session Authentication
•Information About MPLS LDP—Lossless MD5 Session Authentication
•How to Configure MPLS LDP—Lossless MD5 Session Authentication
•Configuration Examples for MPLS LDP—Lossless MD5 Session Authentication
•Feature Information for MPLS LDP—Lossless MD5 Session Authentication
•Feature Information for MPLS LDP—Lossless MD5 Session Authentication
Prerequisites for MPLS LDP—Lossless MD5 Session Authentication
The MPLS LDP—Lossless MD5 Session Authentication feature is an enhancement to the MPLS LDP MD5 Global Configuration feature. Before configuring the MPLS LDP—Lossless MD5 Session Authentication feature, refer to the MPLS—LDP MD5 Global Configuration feature module for more information on how the message digest algorithm 5 (MD5) works with MPLS LDP to ensure that LDP segments remain properly protected.
Note The MPLS LDP—Lossless MD5 Session Authentication feature must be configured before MPLS LDP is configured.
Configure the following features on the label switch router (LSR) before configuring the MPLS LDP—Lossless MD5 Session Authentication feature:
•Cisco Express Forwarding or distributed Cisco Express Forwarding
•Static or dynamic routing
•MPLS Virtual Private Network (VPN) routing and forwarding (VRFs) instances for MPLS VPNs
•MPLS LDP—Lossless MD5 Session Authentication for the MPLS VPN VRFs
Note If a VRF is deleted, then the lossless MD5 session authentication for that VRF is automatically removed.
Restrictions for MPLS LDP—Lossless MD5 Session Authentication
MD5 protection applies to LDP sessions between peers. Tag Distribution Protocol (TDP) sessions between peers are not protected.
Information About MPLS LDP—Lossless MD5 Session Authentication
You should understand the following concepts before configuring the MPLS LDP—Lossless MD5 Session Authentication feature:
•How MPLS LDP Messages in MPLS LDP—Lossless MD5 Session Authentication are Exchanged
•The Evolution of MPLS LDP MD5 Password Features
•Keychains Use with MPLS LDP—Lossless MD5 Session Authentication
•Application of Rules to Overlapping Passwords
•Password Rollover Period Guidelines
•Resolving LDP Password Problems
How MPLS LDP Messages in MPLS LDP—Lossless MD5 Session Authentication are Exchanged
MPLS LDP messages (discovery, session, advertisement, and notification messages) are exchanged between LDP peers through two channels:
•LDP discovery messages are transmitted as User Datagram Protocol (UDP) packets to the well-known LDP port.
•Session, advertisement, and notification messages are exchanged through a TCP connection established between two LDP peers.
The MPLS LDP—Lossless MD5 Session Authentication feature allows an LDP session to be password-protected without tearing down and reestablishing the LDP session. The MD5 password can be implemented and changed without interrupting the LDP session.
The Evolution of MPLS LDP MD5 Password Features
The initial version of LDP MD5 protection allowed authentication to be enabled between two LDP peers and each segment sent on the TCP connection was verified between the peers. Authentication was configured on both LDP peers using the same password; otherwise, the peer session was not established. The mpls ldp neighbor command was issued with the password keyword. When MD5 protection was enabled, the router tore down the existing LDP sessions and established new sessions with the neighbor router.
An improved MD5 protection feature, called MPLS—LDP MD5 Global Configuration, was later introduced that allowed LDP MD5 to be enabled globally instead of on a per-peer basis. Using this feature, password requirements for a set of LDP neighbors could be configured. The MPLS LDP MD5 Global Configuration feature also improved the ability to maintain the LDP session. The LDP session with a peer was not automatically torn down when the password for that peer was changed. The new password was implemented the next time an LDP session was established with the peer.
The MPLS LDP—Lossless MD5 Session Authentication feature is based on the MPLS LDP MD5 Global Configuration feature. However, the MPLS LDP—Lossless MD5 Session Authentication feature provides the following enhancements:
•Activate or change LDP MD5 session authentication without interrupting the LDP session.
•Configure multiple passwords, so one password can be used now and other passwords later.
•Configure asymmetric passwords, which allows one password to be used for incoming TCP segments and a different password to be used for outgoing TCP segments.
•Configure passwords so that they overlap for a period of time. This functionality is beneficial when the clocks on two LSRs are not synchronized.
These enhancements are available by using the key-chain command, which allows different key strings to be used at different times according to the keychain configuration.
Keychains Use with MPLS LDP—Lossless MD5 Session Authentication
The MPLS LDP—Lossless MD5 Session Authentication feature allows keychains to be used to specify different MD5 keys to authenticate LDP traffic exchanged in each direction.
In the following example, three passwords are configured:
•Key 1 specifies the lab password. The send-lifetime command enables the lab password to authenticate the outgoing TCP segments from November 2, 2007, at 10:00:00 a.m. until December 2, 2007, at 10:00:00 a.m. The accept-lifetime command is configured so that the lab password is never used to authenticate incoming TCP segments. The accept-lifetime command enables the lab password for 1 second on January 1, 1970. By setting the date to the past and by enabling a duration of 1 second, the password for incoming TCP segments immediately expires. If the accept-lifetime command is omitted from the keychain configuration, then the password is always valid for incoming TCP segments.
•Key 2 and key 3 specify the lab2 and lab3 passwords, respectively. The send-lifetime commands enable the passwords for 1 second on January 1, 1970. By setting the date to the past and by enabling a duration of 1 second, the passwords for outgoing TCP segments immediately expire. If the send-lifetime commands are omitted from the keychain configuration, the passwords are always valid for outgoing TCP segments. The accept-lifetime commands for key 2 and key 3 enable the passwords to authenticate the incoming TCP segments from November 2, 2007, at 10:00:00 a.m. until November 17, 2007, at 10:00:00 a.m. and from November 17, 2007, at 10:00:00 a.m. until December 2, 2007, at 10:00:00 a.m., respectively.
key chain ldp-pwd
key 1
key-string lab
send-lifetime 10:00:00 Nov 2 2007 10:00:00 Dec 2 2007
accept-lifetime 00:00:00 Jan 1 1970 duration 1
key 2
key-string lab2
send-lifetime 00:00:00 Jan 1 1970 duration 1
accept-lifetime 10:00:00 Nov 2 2007 10:00:00 Nov 17 2007
key 3
key-string lab3
send-lifetime 00:00:00 Jan 1 1970 duration 1
accept-lifetime 10:00:00 Nov 17 2007 10:00:00 Dec 2 2007
!
mpls ldp password option 1 for nbr-acl key-chain ldp-pwd
Application of Rules to Overlapping Passwords
Overlapping passwords can be useful when two LSRs have clocks that are not synchronized. The overlapping passwords provide a window to ensure that TCP packets are not dropped. The following rules apply to overlapping passwords:
•If the send-lifetime value for the next password begins before the send-lifetime value of the current password expires, the password with the shorter key ID is used during the overlap period. The send-lifetime value of the current password can be shortened by configuring a shorter send-lifetime value. Similarly, the send-lifetime value of the current password can be lengthened by configuring a longer send-lifetime value.
•If the accept-lifetime value for the next password begins before the accept-lifetime value of the current password expires, both the next password and the current password are used concurrently. The next password information is passed to TCP. If TCP fails to authenticate the incoming segments with the current password, it tries authenticating with the next password. If TCP authenticates a segment using the new password, it discards the current password and uses the new password from that point on.
•If a password for incoming or outgoing segments expires and no additional valid password is configured, one of the following actions take place:
–If a password is required for the neighbor, LDP drops the existing session.
–If a password is not required for the neighbor, LDP attempts to roll over to a session that does not require authentication. This attempt also fails unless the password expires on both LSRs at the same time.
Password Rollover Period Guidelines
Both old and new passwords are valid during a rollover period. This ensures a smooth rollover when clocks are not synchronized between two LDP neighbors. When passwords are configured using a keychain, the rollover period is equal to the accept-lifetime overlap between two successive receive passwords.
The minimum rollover period (the duration between two consecutive MD5 key updates) must be longer than the value of the LDP keepalive interval time to ensure an update of new MD5 authentication keys. If LDP session hold time is configured to its default value of 3 minutes, the LDP keepalive interval is 1 minute. The minimum rollover period should be 5 minutes. However, we recommend that the minimum rollover period is set to between 15 and 30 minutes.
To ensure a seamless rollover, follow these guidelines:
•Ensure that the local time on the peer LSRs is the same before configuring the keychain.
•Check for error messages (TCP-6-BADAUTH) that indicate keychain misconfiguration.
•Validate the correct keychain configuration by checking for the following password messages:
%LDP-5-PWDCFG: Password configuration changed for 10.1.1.1:0
%LDP-5-PWDRO: Password rolled over for 10.1.1.1:0
Resolving LDP Password Problems
LDP displays error messages when an unexpected neighbor attempts to open an LDP session, or the LDP password configuration is invalid. Some existing LDP debugs also display password information.
When a password is required for a potential LDP neighbor, but no password is configured for it, the LSR ignores LDP hello messages from that neighbor. When the LSR processes the hello message and tries to establish a TCP connection with the neighbor, it displays the error message and stops establishing the LDP session with the neighbor. The error is rate-limited and has the following format:
00:00:57: %LDP-5-PWD: MD5 protection is required for peer 10.2.2.2:0(glbl), no password configured
When passwords do not match between LDP peers, TCP displays the following error message on the LSR that has the lower router ID; that is, the router that has the passive role in establishing TCP connections:
00:01:07: %TCP-6-BADAUTH: Invalid MD5 digest from 10.2.2.2(11051) to 10.1.1.1(646)
If one peer has a password configured and the other one does not, TCP displays the following error messages on the LSR that has a password configured:
00:02:07: %TCP-6-BADAUTH: No MD5 digest from 10.1.1.1(646) to 10.2.2.2(11099)
How to Configure MPLS LDP—Lossless MD5 Session Authentication
This section contains the following procedures:
•Configuring MPLS LDP—Lossless MD5 Session Authentication Using a Keychain (Optional)
•Enabling the Display of MPLS LDP Password Rollover Changes and Events (Optional)
•Changing MPLS LDP—Lossless MD5 Session Authentication Passwords (Optional)
Configuring MPLS LDP—Lossless MD5 Session Authentication Using a Keychain
Perform this task to configure the MPLS LDP—Lossless MD5 Session Authentication feature using a keychain. Keychains allow a different key string to be used at different times according to the keychain configuration. MPLS LDP queries the appropriate keychain to obtain the current live key and key ID for the specified keychain.
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number {permit | deny} {type-code wildcard-mask | ip-address mask}
4. key chain name-of-chain
5. key key-id
6. key-string string
7. accept-lifetime {start-time | local start-time} {duration seconds | end-time | infinite}
8. send-lifetime {start-time | local start-time} {duration seconds | end-time | infinite}
9. exit
10. exit
11. mpls ldp [vrf vrf-name] password option number for acl {key-chain keychain-name | [0 | 7] password}
12. exit
13. show mpls ldp neighbor [vrf vrf-name | all] [ip-address | interface] [detail] [graceful-restart]
DETAILED STEPS
Enabling the Display of MPLS LDP Password Rollover Changes and Events
When a password is required for a neighbor, but no password is configured for the neighbor, the following debug message is displayed:
00:05:04: MDSym5 protection is required for peer 10.2.2.2:0(glbl), but no password configured.
To enable the display of events related to configuration changes and password rollover events, perform this task.
SUMMARY STEPS
1. enable
2. configure terminal
3. mpls ldp logging password configuration [rate-limit number]
4. mpls ldp logging password rollover [rate-limit number]
5. exit
6. debug mpls ldp transport events
or
debug mpls ldp transport connections
DETAILED STEPS
Step 1 enable
This command enables privileged EXEC mode. Enter the password if prompted.
Step 2 configure terminal
This command enables global configuration mode.
Step 3 mpls ldp logging password configuration [rate-limit number]
This command is used to enable the display of events related to configuration changes. The output displays events when a new password is configured or an existing password has been changed or deleted. A rate limit of 1 to 60 messages a minute can be specified.
Step 4 mpls ldp logging password rollover [rate-limit number]
This command is used to enable the display of events related to password rollover events. Events are displayed when a new password is used for authentication or when authentication is disabled. A rate limit of 1 to 60 messages a minute can be specified.
Step 5 exit
This command exits global configuration mode.
Step 6 debug mpls ldp transport events
or
debug mpls ldp transport connections
Either command displays notifications when a session TCP MD5 option is changed.
For example:
00:03:44: ldp: MD5 setup for peer 10.2.2.2:0(glbl); password changed to adfas
00:05:04: ldp: MD5 setup for peer 10.52.52.2:0(vpn1(1)); password changed to [nil]
Changing MPLS LDP—Lossless MD5 Session Authentication Passwords
The MPLS LDP—Lossless MD5 Session Authentication feature allows MD5 passwords to be changed for LDP session authentication without having to close and reestablish an existing LDP session.
SUMMARY STEPS
1. enable
2. configure terminal
3. mpls ldp [vrf vrf-name] password rollover duration minutes
4. mpls ldp [vrf vrf-name] password fallback {key-chain keychain-name | [0 | 7] password}
5. no mpls ldp neighbor [vrf vpn-name] ip-address password password
6. exit
7. show mpls ldp neighbor [vrf vrf-name] [ip-address | interface] [detail] [graceful-restart]
DETAILED STEPS
Configuration Examples for MPLS LDP—Lossless MD5 Session Authentication
This section provides the following configuration examples:
•Configuring MPLS LDP—Lossless MD5 Session Authentication Using a Keychain (Symmetrical): Example
•Configuring MPLS LDP—Lossless MD5 Session Authentication Using a Keychain (Asymmetrical): Example
•Changing MPLS LDP—Lossless MD5 Session Authentication Password: Example
•Changing MPLS LDP—Lossless MD5 Session Authentication: Common Misconfiguration Examples
Configuring MPLS LDP—Lossless MD5 Session Authentication Using a Keychain (Symmetrical): Example
The following example shows a configuration of two peer LSRs that use symmetrical MD5 keys:
LSR1
access-list 10 permit 10.2.2.2
mpls ldp password required for 10
mpls ldp password option 1 for 10 ldp-pwd
!
key chain ldp-pwd
key 1
key-string pwd1
send-lifetime 10:00:00 Jan 1 2007 10:00:00 Feb 1 2007
accept-lifetime 09:00:00 Jan 1 2007 11:00:00 Feb 1 2007
!
interface loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 10.0.1.1 255.255.255.254
mpls label protocol ldp
tag-switching ip
LSR2
access-list 10 permit 10.1.1.1
mpls ldp password required for 10
mpls ldp password option 1 for 10 ldp-pwd
!
key chain ldp-pwd
key 1
key-string pwd1
send-lifetime 10:00:00 Jan 1 2007 10:00:00 Feb 1 2007
accept-lifetime 09:00:00 Jan 1 2007 11:00:00 Feb 1 2007
!
interface loopback0
ip address 10.2.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 10.0.1.2 255.255.255.254
mpls label protocol ldp
tag-switching ip
Configuring MPLS LDP—Lossless MD5 Session Authentication Using a Keychain (Asymmetrical): Example
The following example shows a configuration of two peer LSRs that use asymmetrical MD5 keys:
LSR1
access-list 10 permit 10.2.2.2
mpls ldp password required for 10
mpls ldp password option 1 for 10 ldp-pwd
!
key chain ldp-pwd
key 1
key-string pwd1
accept-lifetime 00:00:00 Jan 1 2005 duration 1
send-lifetime 10:00:00 Jan 1 2007 10:00:00 Feb 1 2007
key 2
key-string pwd2
accept-lifetime 09:00:00 Jan 1 2007 11:00:00 Feb 1 2007
send-lifetime 00:00:00 Jan 1 2005 duration 1
!
interface loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 10.0.1.1 255.255.255.254
mpls label protocol ldp
tag-switching ip
LSR2
access-list 10 permit 10.1.1.1
mpls ldp password required for 10
mpls ldp password option 1 for 10 ldp-pwd
!
key chain ldp-pwd
key 1
key-string pwd2
accept-lifetime 00:00:00 Jan 1 2005 duration 1
send-lifetime 10:00:00 Jan 1 2007 10:00:00 Feb 1 2007
key 2
key-string pwd1
accept-lifetime 09:00:00 Jan 1 2007 11:00:00 Feb 1 2007
send-lifetime 00:00:00 Jan 1 2005 duration 1
!
interface loopback0
ip address 10.2.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 10.0.1.2 255.255.255.254
mpls label protocol ldp
tag-switching ip
Changing MPLS LDP—Lossless MD5 Session Authentication Password: Example
The following example shows the existing password configuration for LSR A, LSR B, and LSR C:
LSR A Existing Configuration
mpls ldp router-id loopback0 force
mpls ldp neighbor 10.11.11.11 password lab1
mpls ldp neighbor 10.12.12.12 password lab1
mpls label protocol ldp
!
interface loopback0
ip address 10.10.10.10 255.255.255.255
!
interface Ethernet1/0
ip address 10.2.0.1 255.255.0.0
mpls ip
!
interface Ethernet2/0
ip address 10.0.0.1 255.255.0.0
mpls ip
LSR B Existing Configuration
mpls ldp router-id loopback0 force
mpls ldp neighbor 10.10.10.10 password lab1
mpls label protocol ldp
!
interface loopback0
ip address 10.11.11.11 255.255.255.255
!
interface Ethernet1/0
ip address 10.2.0.2 255.255.0.0
mpls ip
LSR C Existing Configuration
mpls ldp router-id loopback0 force
mpls ldp neighbor 10.10.10.10 password lab1
mpls label protocol ldp
!
interface loopback0
ip address 10.12.12.12 255.255.255.255
!
interface Ethernet2/0
ip address 10.0.0.2 255.255.0.0
mpls ip
!
The following example shows how the lossless password change is configured using the mpls ldp password rollover duration command for LSR A, LSR B, and LSR C so there is enough time to change all the passwords on all of the routers:
LSR A New Configuration
mpls ldp password rollover duration 10
mpls ldp password fallback lab2
no mpls ldp neighbor 10.11.11.11 password lab1
no mpls ldp neighbor 10.12.12.12 password lab1
LSR B New Configuration
mpls ldp password rollover duration 10
mpls ldp password fallback lab2
no mpls ldp neighbor 10.10.10.10 password lab1
LSR C New Configuration
mpls ldp password rollover duration 10
mpls ldp password fallback lab2
no mpls ldp neighbor 10.10.10.10 password lab1
After 10 minutes has elapsed, the password changes. The following system logging message for LSR A confirms that the password rollover was successful:
%LDP-5-PWDRO: Password rolled over for 10.11.11.11:0
%LDP-5-PWDRO: Password rolled over for 10.12.12.12:0
Changing MPLS LDP—Lossless MD5 Session Authentication Password Using a Rollover Without Keychain: Example
The MPLS LDP—Lossless MD5 Session Authentication password can be changed in a lossless way (without tearing down an existing LDP session) by using a password rollover without a keychain.
The following example shows the existing password configuration for LSR A and LSR B:
LSR A Existing Configuration
mpls ldp router-id loopback0 force
mpls ldp neighbor 10.11.11.11 password lab1
mpls label protocol ldp
!
interface loopback0
ip address 10.10.10.10 255.255.255.255
!
interface Ethernet1/0
ip address 10.2.0.1 255.255.0.0
mpls ip
LSR B Existing Configuration
mpls ldp router-id loopback0 force
mpls ldp neighbor 10.10.10.10 password lab1
mpls label protocol ldp
!
interface loopback0
ip address 10.11.11.11 255.255.255.255
!
interface Ethernet1/0
ip address 10.2.0.2 255.255.0.0
mpls ip
The following example shows the new password configuration for LSR A and LSR B:
Note The rollover duration should be large enough so that the passwords can be changed on all impacted routers.
LSR A New Configuration
mpls ldp password rollover duration 10
mpls ldp neighbor 10.11.11.11 password lab2
LSR B New Configuration
mpls ldp password rollover duration 10
mpls ldp neighbor 10.10.10.10 password lab2
After 10 minutes (rollover duration), the password changes and the following system logging message confirms the password rollover at LSR A:
%LDP-5-PWDRO: Password rolled over for 10.11.11.11:0
Changing MPLS LDP—Lossless MD5 Session Authentication Password Using a Rollover with a Keychain: Example
The MPLS LDP—Lossless MD5 Session Authentication password can be changed in a lossless way by using a password rollover with a keychain. The following configuration example shows the new password keychain configuration for LSR A, LSR B, and LSR C, in which the new password is ldp-pwd.
In the example, the desired keychain is configured first. The first pair of keys authenticate incoming TCP segments (recv key) and compute MD5 digests for outgoing TCP segments (xmit key). These keys should be the same keys as those currently in use; that is, in lab 1. The second recv key in the keychain should be valid after a few minutes. The second xmit key becomes valid at a future time.
Note The rollover duration should be large enough so that the passwords can be changed on all impacted routers.
LSR A New Configuration
mpls ldp password rollover duration 10
access-list 10 permit 10.11.11.11
access-list 10 permit 10.12.12.12
!
key chain ldp-pwd
key 10
key-string lab1
send-lifetime 10:00:00 Jan 1 2007 10:30:00 Jan 1 2007
accept-lifetime 10:00:00 Jan 1 2007 10:45:00 Jan 1 2007
key 11
key-string lab2
send-lifetime 10:30:00 Jan 1 2007 10:30:00 Feb 1 2007
accept-lifetime 10:15:00 Jan 1 2007 10:45:00 Feb 1 2007
key 12
key-string lab3
send-lifetime 10:30:00 Feb 1 2007 10:30:00 Mar 1 2007
accept-lifetime 10:15:00 Feb 1 2007 10:45:00 Mar 1 2007
!
mpls ldp password option 5 for 10 key-chain ldp-pwd
no mpls ldp neighbor 10.11.11.11 password lab1
no mpls ldp neighbor 10.12.12.12 password lab1
LSR B New Configuration
mpls ldp password rollover duration 10
access-list 10 permit 10.10.10.10
key chain ldp-pwd
key 10
key-string lab1
send-lifetime 10:00:00 Jan 1 2007 10:30:00 Jan 1 2007
accept-lifetime 10:00:00 Jan 1 2007 10:45:00 Jan 1 2007
key 11
key-string lab2
send-lifetime 10:30:00 Jan 1 2007 10:30:00 Feb 1 2007
accept-lifetime 10:15:00 Jan 1 2007 10:45:00 Feb 1 2007
key 12
key-string lab3
send-lifetime 10:30:00 Feb 1 2007 10:30:00 Mar 1 2007
accept-lifetime 10:15:00 Feb 1 2007 10:45:00 Mar 1 2007
!
mpls ldp password option 5 for 10 key-chain ldp-pwd
no mpls ldp neighbor 10.10.10.10 password lab1
LSR C New Configuration
mpls ldp password rollover duration 10
access-list 10 permit 10.10.10.10
key chain ldp-pwd
key 10
key-string lab1
send-lifetime 10:00:00 Jan 1 2007 10:30:00 Jan 1 2007
accept-lifetime 10:00:00 Jan 1 2007 10:45:00 Jan 1 2007
key 11
key-string lab2
send-lifetime 10:30:00 Jan 1 2007 10:30:00 Feb 1 2007
accept-lifetime 10:15:00 Jan 1 2007 10:45:00 Feb 1 2007
key 12
key-string lab3
send-lifetime 10:30:00 Feb 1 2007 10:30:00 Mar 1 2007
accept-lifetime 10:15:00 Feb 1 2007 10:45:00 Mar 1 2007
!
mpls ldp password option 5 for 10 key-chain ldp-pwd
no mpls ldp neighbor 10.10.10.10 password lab1
After 10 minutes, the password changes and the following system logging message confirms the password rollover at LSR A.
%LDP-5-PWDRO: Password rolled over for 10.11.11.11:0
%LDP-5-PWDRO: Password rolled over for 10.12.12.12:0
Changing MPLS LDP—Lossless MD5 Session Authentication Password Using a Fallback Password With a Keychain: Example
The MPLS LDP—Lossless MD5 Session Authentication password can be changed in a lossless way by using a fallback password when doing a rollover with a keychain.
Note The fallback password is used only when there is no other keychain configured. If there is a keychain configured, then the fallback password is not used.
The following example shows the existing password configuration for LSR A, LSR B, and LSR C:
LSR A Existing Configuration
mpls ldp router-id loopback0 force
mpls label protocol ldp
!
interface loopback0
ip address 10.10.10.10 255.255.255.255
!
interface Ethernet1/0
ip address 10.2.0.1 255.255.0.0
mpls ip
!
interface Ethernet2/0
ip address 10.0.0.1 255.255.0.0
mpls ip
!
access-list 10 permit 10.11.11.11
access-list 10 permit 10.12.12.12
!
key chain ldp-pwd
key 10
key-string lab1
send-lifetime 10:00:00 Jan 1 2007 10:30:00 Jan 1 2007
accept-lifetime 10:00:00 Jan 1 2007 10:45:00 Jan 1 2007
!
mpls ldp password option 5 for 10 key-chain ldp-pwd
LSR B Existing Configuration
mpls ldp router-id loopback0 force
mpls label protocol ldp
!
interface loopback0
ip address 10.11.11.11 255.255.255.255
!
interface Ethernet1/0
ip address 10.2.0.2 255.255.0.0
mpls ip
!
access-list 10 permit 10.10.10.10
key chain ldp-pwd
key 10
key-string lab1
send-lifetime 10:00:00 Jan 1 2007 10:30:00 Jan 1 2007
accept-lifetime 10:00:00 Jan 1 2007 10:45:00 Jan 1 2007
!
mpls ldp password option 5 for 10 key-chain ldp-pwd
LSR C Existing Configuration
mpls ldp router-id loopback0 force
mpls label protocol ldp
!
interface loopback0
ip address 10.12.12.12 255.255.255.255
!
interface Ethernet2/0
ip address 10.0.0.2 255.255.0.0
mpls ip
!
access-list 10 permit 10.10.10.10
key chain ldp-pwd
key 10
key-string lab1
send-lifetime 10:00:00 Jan 1 2007 10:30:00 Jan 1 2007
accept-lifetime 10:00:00 Jan 1 2007 10:45:00 Jan 1 2007
!
mpls ldp password option 5 for 10 key-chain ldp-pwd
Note The fallback keychain is not used unless the keychain ldp-pwd is removed using the no mpls ldp password option 5 for 10 key-chain ldp-pwd command.
The following example shows the new configuration for LSR A, LSR B, and LSR C, where one keychain is configured with the name ldp-pwd and another keychain is configured with the name fallback for the fallback password.
Note The rollover duration should be large enough so that the passwords can be changed on all impacted routers.
LSR A New Configuration
mpls ldp password rollover duration 10
!
key chain fallback
key 10
key-string fbk1
!
mpls ldp password fallback key-chain fallback
!
no mpls ldp password option 5 for 10 key-chain ldp-pwd
LSR B New Configuration
mpls ldp password rollover duration 10
!
key chain fallback
key 10
key-string fbk1
!
mpls ldp password fallback key-chain fallback
!
no mpls ldp password option 5 for 10 key-chain ldp-pwd
LSR C New Configuration
mpls ldp password rollover duration 10
key chain fallback
key 10
key-string fbk1
!
mpls ldp password fallback key-chain fallback
!
no mpls ldp password option 5 for 10 key-chain ldp-pwd
After 10 minutes, the password changes and the following system logging message confirms the password rollover at LSR A:
%LDP-5-PWDRO: Password rolled over for 10.11.11.11:0
%LDP-5-PWDRO: Password rolled over for 10.12.12.12:0
Changing MPLS LDP—Lossless MD5 Session Authentication: Common Misconfiguration Examples
The following sections describe common misconfiguration examples that can occur when the MPLS LDP—Lossless MD5 Session Authentication password is migrated in a lossless way. Misconfigurations can lead to undesired behavior in an LDP session.
•Incorrect Keychain LDP Password Configuration: Example
•Avoiding Access List Configuration Problems
Incorrect Keychain LDP Password Configuration: Example
Possible misconfigurations can occur when keychain-based commands are used with the mpls ldp password option for key-chain command. If the accept-lifetime or send-lifetime command is not specified in this configuration, then a misconfiguration can occur when more than two keys are in a keychain.
The following example shows an incorrect keychain configuration with three passwords for LSR A and LSR B in the keychain:
LSR A Incorrect Keychain LDP Password Configuration
access-list 10 permit 10.11.11.11
!
key chain ldp-pwd
key 10
key-string lab1
send-lifetime 10:00:00 Jan 1 2007 10:30:00 Jan 1 2007
key 11
key-string lab2
send-lifetime 10:30:00 Jan 1 2007 10:30:00 Feb 1 2007
key 12
key-string lab3
send-lifetime 10:30:00 Feb 1 2007 10:30:00 Mar 1 2007
!
mpls ldp password option 5 for 10 key-chain ldp-pwd
LSR B Incorrect Keychain LDP Password Configuration
access-list 10 permit 10.10.10.10
key chain ldp-pwd
key 10
key-string lab1
send-lifetime 10:00:00 Jan 1 2007 10:30:00 Jan 1 2007
key 11
key-string lab2
send-lifetime 10:30:00 Jan 1 2007 10:30:00 Feb 1 2007
key 12
key-string lab3
send-lifetime 10:30:00 Feb 1 2007 10:30:00 Mar 1 2007
!
mpls ldp password option 5 for 10 key-chain ldp-pwd
In the example, for both LSR A and LSR B, during the period of the third send-lifetime 10:30:00 Feb 1 2007 10:30:00 Mar 1 2007 command, all three configured keys are valid as receive keys, and only the last configured key is valid as a transmit key. The keychain resolution rules dictate that keys 10 and 11 are used as receive keys, and only the last key 12 can be used as the transmit key. Because the transmit and receive keys are mismatched, the LDP session will not stay active.
Note When more than two passwords are configured in a keychain, the configuration needs to have both accept-lifetime and send-lifetime commands configured correctly for effective rollovers.
The following example shows the correct keychain configuration with multiple passwords in the keychain:
LSR A Correct Keychain LDP Password Configuration
access-list 10 permit 10.11.11.11
!
key chain ldp-pwd
key 10
key-string lab1
send-lifetime 10:00:00 Jan 1 2007 10:30:00 Jan 1 2007
accept-lifetime 10:00:00 Jan 1 2007 10:45:00 Jan 1 2007
key 11
key-string lab2
send-lifetime 10:30:00 Jan 1 2007 10:30:00 Feb 1 2007
accept-lifetime 10:15:00 Jan 1 2007 10:45:00 Feb 1 2007
key 12
key-string lab3
send-lifetime 10:30:00 Feb 1 2007 10:30:00 Mar 1 2007
accept-lifetime 10:15:00 Feb 1 2007 10:45:00 Mar 1 2007
!
mpls ldp password option 5 for 10 key-chain ldp-pwd
LSR B Correct Keychain LDP Password Configuration
access-list 10 permit 10.10.10.10
key chain ldp-pwd
key 10
key-string lab1
send-lifetime 10:00:00 Jan 1 2007 10:30:00 Jan 1 2007
accept-lifetime 10:00:00 Jan 1 2007 10:45:00 Jan 1 2007
key 11
key-string lab2
send-lifetime 10:30:00 Jan 1 2007 10:30:00 Feb 1 2007
accept-lifetime 10:15:00 Jan 1 2007 10:45:00 Feb 1 2007
key 12
key-string lab3
send-lifetime 10:30:00 Feb 1 2007 10:30:00 Mar 1 2007
accept-lifetime 10:15:00 Feb 1 2007 10:45:00 Mar 1 2007
!
mpls ldp password option 5 for 10 key-chain ldp-pwd
In the example above, for both LSR A and LSR B, during the period of the third send-lifetime 10:30:00 Feb 1 2007 10:30:00 Mar 1 2007 command, only the last key 12 is valid as transmit and receive keys. Therefore, the LDP session remains active.
Avoiding Access List Configuration Problems
Use caution when modifying or deleting an access list. Any empty access list implies "permit any" by default. So when either the mpls ldp password option for key-chain command or the mpls ldp password option for command is used for MPLS LDP MD5 session authentication, if the access list specified in the command becomes empty as a result of a modification or deletion, then all LDP sessions on the router expect a password. This configuration may cause undesired behavior in LDP sessions. To avoid this scenario, ensure that the proper access list is specified for each LSR.
Changing MPLS LDP—Lossless MD5 Session Authentication Using a Second Key to Avoid LDP Session Failure: Examples
The MPLS LDP—Lossless MD5 Session Authentication feature works when a specified rollover period is configured. Typically, one rollover period overlaps the two accept lifetime values that are configured for two consecutive receive keys. The LDP process requests an update from the keychain manager for the latest valid transmit and receive keys once every minute. LDP compares the latest key set with the keys from the previous update in its database to determine if a key was removed, changed, or rolled over. When the rollover occurs, the LDP process detects the rollover and programs TCP with the next receive key.
The LDP session can fail if LDP is configured to use two keys for the MPLS LDP—Lossless MD5 Session Authentication feature where the first key uses a send and accept lifetime value and the second key is not configured. The configuration creates a special case where there are two rollovers but there is only one rollover period.
The following sections provide an example of this problem and a solution:
•TCP Authentication and LDP Sessions Can Fail When a Second Rollover Period Is Missing: Example
•Reconfigure a Keychain to Prevent TCP Authentication and LDP Session Failures: Example
TCP Authentication and LDP Sessions Can Fail When a Second Rollover Period Is Missing: Example
In the following configuration, the first rollover is from "secondpass" to "firstpass." The second rollover is from "firstpass" back to "secondpass." The only rollover period in this configuration is the overlapping between the "firstpass" and "secondpass." Because one rollover period is missing, LDP performs only the first rollover and not the second rollover, causing TCP authentication to fail and the LDP session to fail.
key chain ldp-pwd
key 1
key-string firstpass
accept-lifetime 01:03:00 Sep 10 2007 01:10:00 Sep 10 2007
send-lifetime 01:05:00 Sep 10 2007 01:08:00 Sep 10 2007
key 2
key-string secondpass
TCP authentication and LDP sessions can also fail if the second key has send and accept lifetime configured. In this case the accept lifetime of the first key is a subset of the accept lifetime of the second key. For example:
key chain ldp-pwd
key 1
key-string firstpass
accept-lifetime 01:03:00 Sep 10 2007 01:10:00 Sep 10 2007
send-lifetime 01:05:00 Sep 10 2007 01:08:00 Sep 10 2007
key 2
key-string secondpass
accept-lifetime 01:03:00 Sep 9 2007 01:10:00 Sep 11 2007
send-lifetime 01:05:00 Sep 9 2007 01:08:00 Sep 11 2007
Reconfigure a Keychain to Prevent TCP Authentication and LDP Session Failures: Example
If the configuration needs to specify the last key in the keychain to always be valid, then configure the keychain to have at least two keys. Each key must be configured with both the send and accept lifetime period. For example:
key chain ldp-pwd
key 1
key-string firstpass
accept-lifetime 01:03:00 Sep 10 2007 01:10:00 Sep 10 2007
send-lifetime 01:05:00 Sep 10 2007 01:08:00 Sep 10 2007
key 2
key-string secondpass
accept-lifetime 01:06:00 Sep 10 2007 01:17:00 Sep 10 2007
send-lifetime 01:08:00 Sep 10 2007 01:15:00 Sep 10 2007
key 3
key-string thirdpass
If the configuration needs to specify the first keychain for the time interval, then switch to use the second key forever after that interval. This is done by configuring the start time for the second key to begin shortly before the end time of the first key, and by configuring the second key to be valid forever after that interval. For example:
key chain ldp-pwd
key 1
key-string firstpass
accept-lifetime 00:03:00 Sep 10 2007 01:10:00 Sep 10 2007
send-lifetime 00:05:00 Sep 10 2007 01:08:00 Sep 10 2007
key 2
key-string secondpass
accept-lifetime 01:06:00 Sep 10 2007 infinite
send-lifetime 01:08:00 Sep 10 2007 infinite
If the configuration needs to specify the two keys in the order of the second key, first key, and second key again, then specify three keys in that order with the proper rollover period. For example:
key chain ldp-pwd
key 1
key-string firstpass
accept-lifetime 00:03:00 Sep 10 2007 01:10:00 Sep 10 2007
send-lifetime 00:05:00 Sep 10 2007 01:08:00 Sep 10 2007
key 2
key-string secondpass
accept-lifetime 01:06:00 Sep 10 2007 01:17:00 Sep 10 2007
send-lifetime 01:08:00 Sep 10 2007 01:15:00 Sep 10 2007
key 3
key-string firstpass
accept-lifetime 01:13:00 Sep 10 2007 infinite
send-lifetime 01:15:00 Sep 10 2007 infinite
Additional References
The following sections provide references related to the MPLS LDP—Lossless MD5 Session Authentication feature.
Related Documents
|
|
|
|---|---|
MPLS Label Distribution Protocol (LDP) |
|
LDP implementation enhancements for the MD5 password |
Standards
|
|
|
|---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs
RFCs
|
|
|
|---|---|
No new or modified RFCs are supported by this release. |
— |
Technical Assistance
Feature Information for MPLS LDP—Lossless MD5 Session Authentication
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007-2008 Cisco Systems, Inc. All rights reserved.
Feedback