Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 20
Registered: ‎05-09-2014
0 Kudos

Protecting LDP in Junos

How to most effectively protect the LDP protocol in Junos-based mpls core?
E.g. against attacks exploiting JSA10777.

1) If I specify md5 authentication per session like this:
set protocols ldp session 1.2.3.4 authentication-key "xxx"
LDP session can be established without md5 key from any other remote address e.g. 2.2.2.2

2) If I add "strict-targeted-hellos" then tcp sessions to ldp port can still be established from anywhere except from 1.2.3.4 (unless using the correct key). I'm not sure whether attacks against ldp can be launched or not but at least the packets are accepted by the RE tcp stack.

3) If I add the RE filter as described here:
http://forums.juniper.net/t5/Routing/Limiting-LDP-targetted-Sessions/m-p/263081#M12111
the "rogue" ldp tcp sessions can no longer be established.

So is the correct answer 1+2+3 combined?
Which kind of config do people use in production?


Thanks

Highlighted
Distinguished Expert
Posts: 554
Registered: ‎08-15-2012
0 Kudos

Re: Protecting LDP in Junos

Hi, 

 

IMO, this depends on the specific design, for instance when ldp-over-rsvp is implemented, ldp sessions get dynamically setup between RSVP ingress and egress and strict-targeted-hello may block sessions.

 

1. Allows authentication for each session. May be cumbersome to configure if there are many ldp sessions.

    Can also use 'set protocols ldp session-group x.x.x.x/x authentication-key xxx' to summarise/group ldp session peers.

 

2. Ignores hello from unconfigured neighbors. However, I assume the ldp packet could still be processed by the RE but then ignored.

 

3. Protects RE from unsolicited LDP hellos [will not reach RE for processing].

 

IMO, a combination of the three is most effective [defence-in-depth].

 

Cheers,

Ashvin