In an MPLS network, where the trust relationship is assumed within the network boundary, authentication for pseudowire signaling is usually absent. However, Cisco IOS still provides LDP authentication when network operators consider it necessary. Like other MPLS applications that use LDP, AToM can also enable LDP authentication for pseudowire signaling.
LDP performs authentication through the TCP MD5 Signature Option, which is essentially a message digest checksum to validate the integrity of the message. The checksum is calculated based on the content being transmitted and a shared password.
To configure LDP authentication for pseudowire signaling, use the mpls ldp neighbor password command under the global configuration mode. For example, PE1 and PE2 need to configure LDP authentication and have a shared password l2vpn, as shown in Example 9-54.
PE1(config)#mpls ldp neighbor 10.1.1.2 password ? LINE The password <0-7> Encryption type (0 to disable encryption, 7 for proprietary) PE1(config)#mpls ldp neighbor 10.1.1.2 password l2vpn PE2#config t Enter configuration commands, one per line. End with CNTL/Z. PE2(config)#mpls ldp neighbor 10.1.1.1 password l2vpn
To verify that the LDP session is enabled with MD5 authentication, use the show mpls ldp neighbor detail command, as shown in Example 9-55.
PE1#show mpls ldp neighbor 10.1.1.2 detail
Peer LDP Ident: 10.1.1.2:0; Local LDP Ident 10.1.1.1:0
TCP connection: 10.1.1.2.11035 - 10.1.1.1.646; MD5 on
State: Oper; Msgs sent/rcvd: 26/26; Downstream; Last TIB rev sent 22
Up time: 00:08:10; UID: 5; Peer Id 2;
LDP discovery sources:
Targeted Hello 10.1.1.1 -> 10.1.1.2, active, passive;
holdtime: infinite, hello interval: 10000 ms
Addresses bound to peer LDP Ident:
10.23.23.1 10.1.1.2 10.23.21.2
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
Clients: Dir Adj Client
If a PE router has a password configured for a peer PE router, but the peer PE router does not have the password configured, a message such as the following appears on the console of the PE router:
00:53:41: %TCP-6-BADAUTH: No MD5 digest from 10.1.1.2(11037) to 10.1.1.1(646)
If two PE routers have different passwords configured, a message such as the following appears on the console:
00:55:57: %TCP-6-BADAUTH: Invalid MD5 digest from 10.1.1.2(11041) to 10.1.1.1(646)
When the password is missing from one PE router or the passwords that are configured on two PE routers do not match, the LDP session is not established.