04-21-2017 02:33 AM
How to most effectively protect the LDP protocol in Junos-based mpls core?
E.g. against attacks exploiting JSA10777.
1) If I specify md5 authentication per session like this:
set protocols ldp session 18.104.22.168 authentication-key "xxx"
LDP session can be established without md5 key from any other remote address e.g. 22.214.171.124
2) If I add "strict-targeted-hellos" then tcp sessions to ldp port can still be established from anywhere except from 126.96.36.199 (unless using the correct key). I'm not sure whether attacks against ldp can be launched or not but at least the packets are accepted by the RE tcp stack.
3) If I add the RE filter as described here:
the "rogue" ldp tcp sessions can no longer be established.
So is the correct answer 1+2+3 combined?
Which kind of config do people use in production?
04-21-2017 10:32 AM
IMO, this depends on the specific design, for instance when ldp-over-rsvp is implemented, ldp sessions get dynamically setup between RSVP ingress and egress and strict-targeted-hello may block sessions.
1. Allows authentication for each session. May be cumbersome to configure if there are many ldp sessions.
Can also use 'set protocols ldp session-group x.x.x.x/x authentication-key xxx' to summarise/group ldp session peers.
2. Ignores hello from unconfigured neighbors. However, I assume the ldp packet could still be processed by the RE but then ignored.
3. Protects RE from unsolicited LDP hellos [will not reach RE for processing].
IMO, a combination of the three is most effective [defence-in-depth].