Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor
Posts: 21
Registered: ‎05-09-2014
0 Kudos

Protecting LDP in Junos

How to most effectively protect the LDP protocol in Junos-based mpls core?
E.g. against attacks exploiting JSA10777.

1) If I specify md5 authentication per session like this:
set protocols ldp session 1.2.3.4 authentication-key "xxx"
LDP session can be established without md5 key from any other remote address e.g. 2.2.2.2

2) If I add "strict-targeted-hellos" then tcp sessions to ldp port can still be established from anywhere except from 1.2.3.4 (unless using the correct key). I'm not sure whether attacks against ldp can be launched or not but at least the packets are accepted by the RE tcp stack.

3) If I add the RE filter as described here:
http://forums.juniper.net/t5/Routing/Limiting-LDP-targetted-Sessions/m-p/263081#M12111
the "rogue" ldp tcp sessions can no longer be established.

So is the correct answer 1+2+3 combined?
Which kind of config do people use in production?


Thanks

Distinguished Expert
Posts: 560
Registered: ‎08-15-2012
0 Kudos

Re: Protecting LDP in Junos

Hi, 

 

IMO, this depends on the specific design, for instance when ldp-over-rsvp is implemented, ldp sessions get dynamically setup between RSVP ingress and egress and strict-targeted-hello may block sessions.

 

1. Allows authentication for each session. May be cumbersome to configure if there are many ldp sessions.

    Can also use 'set protocols ldp session-group x.x.x.x/x authentication-key xxx' to summarise/group ldp session peers.

 

2. Ignores hello from unconfigured neighbors. However, I assume the ldp packet could still be processed by the RE but then ignored.

 

3. Protects RE from unsolicited LDP hellos [will not reach RE for processing].

 

IMO, a combination of the three is most effective [defence-in-depth].

 

Cheers,

Ashvin

Contributor
Posts: 21
Registered: ‎05-09-2014
0 Kudos

Re: Protecting LDP in Junos

Thank you very much for explanation.

 

O'Reilly book "Juniper MX Series", second edition, contains an example RE filter (page 320). In filter accept-ldp term accept-ldp-unicast tcp packets to ldp port are only accepted from directly connected ip addresses (prefix-lists router-ipv4 and router-ipv4-logical-systems). However, with default config (protocols ldp transport-address absent) the LDP tcp connection is sourced from (neighbor) loopback ip. It's not accepted and as result the ldp sessions cannot be established. The list of loopbacks cannot be automatically generated with apply-path.

Is there a bug in the book (the filter is same in the first edition) or is there something I fail to understand? Most probably the latter one, please explain Smiley Happy

Thanks

Contributor
Posts: 23
Registered: ‎06-16-2016
0 Kudos

Re: Protecting LDP in Junos

I don't have the book but here's what you'd expect for LDP traffic:

 

  • UDP Hellos sourced from outgoing interface to all routers multicast
  • Targeted UDP Hellos sourced from the loopback IP to the neighbor's loopback IP
  • TCP session sourced from the loopback IP to the neighbor's loopback IP

 

If you aren't using LDP for transport but you're using it for something like an l2circuit, then you can generate a list of loopbacks using apply-path.

 

If you are using LDP to generate your LSPs, then you'd need to manually configure a prefix-list with loopback IPs (or subnet covering all loopbacks). If that's not in the example, then I don't see how the session can come up.

 

Keep in mind that with any TCP session between routers, you'd need a term to allow replies. So for LDP, you'd need some term with a source-port of 646 and "tcp-established" to lock it down to segments with RST or ACK flags.

 

Example policy:

set policy-options prefix-list local-lo0 apply-path "interfaces lo0 unit <*> family inet address <*>"
set policy-options prefix-list neighbor-int-ip apply-path "interfaces <*> unit <*> family inet address <*>"
set policy-options prefix-list l2circuit-neighbors apply-path "protocols l2circuit neighbor <*>"
set policy-options prefix-list all-routers-mcast 224.0.0.2/32
set policy-options prefix-list remote_loopbacks 1.2.3.0/24

set firewall family inet filter protect-re term permit_ldp_hellos from source-prefix-list neighbor-int-ip
set firewall family inet filter protect-re term permit_ldp_hellos from destination-prefix-list all-routers-mcast
set firewall family inet filter protect-re term permit_ldp_hellos from protocol udp
set firewall family inet filter protect-re term permit_ldp_hellos from destination-port ldp
set firewall family inet filter protect-re term permit_ldp_hellos then accept

set firewall family inet filter protect-re term permit_tldp_hellos from source-prefix-list l2circuit-neighbors
set firewall family inet filter protect-re term permit_tldp_hellos from destination-prefix-list local-lo0
set firewall family inet filter protect-re term permit_tldp_hellos from protocol udp
set firewall family inet filter protect-re term permit_tldp_hellos from destination-port ldp
set firewall family inet filter protect-re term permit_tldp_hellos then accept

set firewall family inet filter protect-re term permit_tcp_init from source-prefix-list remote_loopbacks
set firewall family inet filter protect-re term permit_tcp_init from source-prefix-list l2circuit-neighbors
set firewall family inet filter protect-re term permit_tcp_init from destination-prefix-list local-lo0
set firewall family inet filter protect-re term permit_tcp_init from protocol tcp
set firewall family inet filter protect-re term permit_tcp_init from destination-port ldp
set firewall family inet filter protect-re term permit_tcp_init then accept

set firewall family inet filter protect-re term permit_tcp_estbl from source-prefix-list remote_loopbacks
set firewall family inet filter protect-re term permit_tcp_estbl from source-prefix-list l2circuit-neighbors
set firewall family inet filter protect-re term permit_tcp_estbl from destination-prefix-list local-lo0
set firewall family inet filter protect-re term permit_tcp_estbl from protocol tcp
set firewall family inet filter protect-re term permit_tcp_estbl from source-port ldp
set firewall family inet filter protect-re term permit_tcp_estbl from tcp-established
set firewall family inet filter protect-re term permit_tcp_estbl from destination-port 49152-65535
set firewall family inet filter protect-re term permit_tcp_estbl then accept