Details
LDP peers should be strongly authenticated.
Rationale:
Where it is deployed, LDP is vital for normal operation of an MPLS network. LDP is used to determine Label mapping and populate the routers Forwarding Information Base (FIB). An attacker posing as one of the target routers LDP peers may attempt to inject incorrect label information or exploit a vulnerability in the routers LDP implementation to cause an information disclosure or denial of service.
On Juniper routers (as well as routers from some other vendors) it is possible to authenticate LDP sessions using a Cipher-based Message Authentication Code method with the AES encryption algorithm.
AES-128-CMAC-96 is significantly more robust than the MD5-HMAC method, which has traditionally been used for LDP session authentication, and should be used wherever both LSRs support it (such as in an all Juniper deployment).
Where support for AES-128-CMAC-96 is not available; SHA1-HMAC, while not as strong as the AES method, should be strongly preferred over MD5-HMAC which is considerably weaker.
Strong LDP Session Authentication is configured on a per session-group basis, allowing you to easily support different algorithms with different groups if necessary.
Solution
If you have deployed LDP in your network you should use strong authentication for all neighbors.
Both AES-CMAC and SHA1-HMAC authentication require a keychain to be configured on the device under the [edit security authentication-key-chains] hierarchy with at least one key which has a start time in the past.
[edit security authentication-key-chains]
[email protected]#set key-chain
[email protected]#set key-chain
The chosen algorithm and keychain should then be configured for all session groups from the [edit protocols ldp] hierarchy:
[edit protocols ldp]
[email protected]#set session-group
[email protected]#set session-group
or for SHA1 :
[edit protocols ldp]
[email protected]#set session-group
[email protected]#set session-group
Default Value:
LDP is not configured by default.
When LDP is configured with an authentication-key, MD5 is the default authentication-algorithm.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Juniper.