Message-digest algorithm 5 (MD5) is a standard digest algorithm defined in RFC 1321. A typical application of MD5 is to calculate a message digest to prevent message spoofing. The MD5 message digest is a unique result calculated by an irreversible character string conversion. If a message is modified during transmission, a different digest is generated. After the message arrives at the receiving end, the receiving end can determine whether the packet is modified by comparing the received digest with the pre-computed digest.
LDP MD5 authentication prevents LDP packets from being modified by generating a unique digest for an information segment. This authentication is stricter than the common checksum verification of TCP connections.
Before an LDP message is sent over a TCP connection, LDP MD5 authentication is performed by padding the TCP header with a unique digest. This digest is a result calculated by MD5 based on the TCP header, LDP message, and password set by the user.
When receiving this TCP packet, the receiver obtains the TCP header, digest, and LDP message, and then uses MD5 to calculate a digest based on the received TCP header, received LDP message, and locally stored password. The receiver compares the calculated digest with the received one to check whether the packet is modified.
A password can be set in either ciphertext or explicit text. The explicit password is directly recorded in the configuration file. The ciphertext password is recorded in the configuration file after being encrypted using a special algorithm.
During the calculation of a digest, the manually entered character string is used regardless of whether the password is in explicit text or ciphertext. This means that a password in ciphertext does not participate in MD5 calculation.
Keychain, an enhanced encryption algorithm to MD5, calculates a message digest for the same LDP message to prevent the message from being modified.
During keychain authentication, a group of passwords are defined to form a password string. Each password is specified with encryption and decryption algorithms, such as MD5 algorithm and SHA-1, and is configured with the validity period. When sending or receiving a packet, the system selects a valid password based on the user's configuration. Within the validity period of the password, the system uses the encryption algorithm matching the password to encrypt the packet before sending it out, or uses the decryption algorithm matching the password to decrypt the packet before accepting it. In addition, the system automatically uses a new password after the previous password expires, preventing the password from being decrypted.
The keychain authentication password, the encryption and decryption algorithms, and the password validity period that construct a keychain configuration node are configured using different commands. A keychain configuration node requires at least one password and encryption and decryption algorithms.
To reference a keychain configuration node, specify the required peer and the name of the node in the MPLS LDP view so that an LDP session is encrypted. Different peers can reference the same keychain configuration node.