An Authentication for Non-Adjacent LSRs in the LDP Morvan D. Müller, Carlos B. Westphall, Carla M. Westphall Network and Management Laboratory (LRG), Post-Graduate Program in Computer Science Federal University of Santa Catarina (UFSC). Phone: +55.48.3317559, Florianópolis, SC, Brazil. {morvan, westphal, carla}@lrg.ufsc.br Abstract. This work proposes a solution for the LDP (Label Distribution Protocol) from the MPLS architecture, that has as objective authenticate, on an end-to-end basis, the establishment of an LSP (Label Switching Path) between one Ingress LSR (Label Switching Router) and its Egress. The objective is to supply the LDP protocol deficiency, that doesn't have one end-to-end authentication mechanism defined for non-adjacent LSRs. The solution makes use of one authentication mechanism based on asymmetric cryptography (private and public keys), that enables the receiver to verify and authenticate the sender. It provides integrity to the information by the use of a hash and additionally protects against replay attacks by the insertion of a nonce to the LDP messages. We don’t have knowledge of a similar solution that is effective to solve this problem. Keywords. LDP, Security, MPLS. 1. Introduction MPLS (Multi-protocol Label Switching) like RFC3031 [8] is a framework defined by the IETF (Internet Engineering Task Force) that provides efficient forwarding and switching of data flows across the network for being a packet switching technique based on labels. In the MPLS architecture the LDP (Label Distribution Protocol) is responsible for the distribution of these labels and the establishment of logical ways called LSPs (Label Switched Paths), which are created through LSRs (Label Switched Routers) linked between itself. A weakness in the LDP security can compromise the entire MPLS environment, because the distribution of labels realized by the LDP determines who can participate or not of a MPLS domain through the created LSPs. The authentication defined for the LDP in the RFC3036 [2] based on the TCP/MD5 option [3], is restricted to adjacent LSRs, because depends on a TCP connection between the involved LSRs. In the case of LSPs between non-adjacent LSRs, in normal conditions, during the establishment of the first LSP, a TCP connection doesn’t exist, end-to-end, between these LSRs. So the solution from RFC3036 doesn’t deal with efficient way, situations where two LSRs intend to authenticate mutually end-to-end, during the establishment of a new LSP. This work proposes an end-to-end authentication solution for the LDP in order to overcome this weakness of the protocol, making possible the establishment of LSPs between two non-adjacent LSRs in a safety way. The solution was planned for environments where LSPs crosses external multi-domain environments, not trustworthy between itself , and for this reason need a way to authenticate the endpoints of the LSP during its establishment. As verified by of related works [5], [12] and [13], currently is unknown a similar solution that effectively attend the proposal of authenticate the establishment of LSPs between non-adjacent LSRs, in a end-to-end basis, in the LDP protocol. To validate this solution, we implement the defined authentication in Linux. 1.1 Related Works [5] describes an end-to-end authentication proposal for the LDP protocol, which has been suggest as a draft (currently expired) for the IETF. The authors haven’t made practical experiments as implementations or simulations of the suggested solution. After a deep analysis of this proposal we conclude that it presents an architectural error, fact recognized by its authors, by considering that when sending a LDP message requesting a LSP for some FEC, the source LSR (ingress) knows which will be the destination LSR (egress) that goes to process the request. In the most of the cases it isn’t true in the standard form of operation of the LDP protocol. So, the application of this solution is drastically reduced and can only be applied to a minority of cases on the LDP, when the Ingress LSR knows before requesting the LSP who will be the Egress LSR for some FEC. [12] approaches the security of the MPLS and raises problematic of the authentication during the establishment of LSPs between non-adjacent LSRs in the LDP. [14] describes a solution that depends on the trustworthiness of the LSPs created between non-adjacent LSRs. [13] compares the suggested S-BGP architecture with other security solutions defined for the BGP (Border Gateway Protocol), that includes the authentication solution for the LDP based on the TCP/MD5 Option [3] defined in RFC3036. 1.2 Organization of the Work This work is organized in four sections. Section 2 describes the end-to-end authentication solution for the LDP. Section 3 describes the mechanisms to provide the authentication, presents the justifications to the chosen 21