Configure the TCP MD5 Signature for LDP Session

You can configure an MD5 signature for an LDP TCP connection to protect against the introduction of spoofed TCP segments into LDP session connection streams.

A router using the MD5 signature option is configured with a password for each peer for which authentication is required. The password is stored encrypted.

LDP hello adjacencies can still be created even when peering interfaces are configured with different security signatures. However, the TCP session cannot be authenticated and is never established.

NOTE: If you apply an MD5 signature to an LDP interface with an established session, it drops the TCP connection and all the associated label bindings to the FEC entries for that session. The session regenerates the database information for that session once both interfaces agree on a common security method and password.

To configure an MD5 signature for an LDP TCP connection, include the authentication-key statement:

session address {

    authentication-key md5-authentication-key;

}

For a list of hierarchy levels at which you can configure this statement, see the statement summary section for this statement.

Use the session statement to configure the address for the remote end of the LDP session.

The md5-authentication-key (password) can be up to 69 characters long. Characters can include any ASCII strings. If you include spaces, enclose all characters in quotation marks.