×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Configuring Authentication For BGP

Document

Mon, 04/14/2014 - 08:08
Jun 22nd, 2009
User Badges:
  • Gold, 750 points or more

Introduction:

BGP is different than the other routing protocols (EIGRP,OSPF) because you must explicitly configure the peer relationships between routers. These peers then use point-to-point TCP connections to exchange information. So it is much more difficult for a malicious user to surreptitiously establish a peer relationship with one of your routers and corrupt your routing tables. But it is still possible to hijack an existing TCP connection between two BGP peers and inject bad routes. And if the attackers are on the same network segment as one of the peers, they can potentially hijack the IP address of the legitimate peer and set up a new BGP session.

With authentication, this type of attack is considerably more difficult. This is because the attacker must not only get the TCP sequence numbers right, but he must also insert the correct encrypted authentication key.

Configuring BGP Authentication on Cisco IOS:

Border Gateway Protocol (BGP) supports authentication mechanism using Message Digest 5 (MD5) algorithm. When authentication is enabled, any Transmission Control Protocol (TCP) segment belonging to BGP exchanged between the peers is verified and accepted only if authentication is successful. For authentication to be successful, both the peers must be configured with the same password. If authentication fails, the BGP neighbor relationship is not be established.

router bgp 100

no synchronization

bgp log-neighbor-changes

neighbor 80.80.80.80 remote-as 100

neighbor 80.80.80.80 password cisco  

 

Configuring BGP Authentication on Cisco IOS XR:

Configuration steps to enables Message Digest 5 (MD5) authentication on the TCP connection between the two BGP neighbors.

router bgp 100

neighbor 10.1.1.1

remote-as 1

password { clear | encrypted } password

end

commit

 

Configuring Keychains for BGP:

BGP uses TCP authentication, which enables the authentication option and sends the Message Authentication Code (MAC) based on the cryptographic algorithm configured for the keychain.The routing protocols each support a different set of cryptographic algorithms, Border Gateway Protocol (BGP) supports only HMAC-MD5 and HMAC-SHA1-12.

key chain keychain_A

key 1

cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1]

router bgp 140

neighbor 172.20.1.1

remote-as 1

keychain keychain_A

end

commit

Configuring BGP Authentication on Cisco IOS XR:

In Cisco NX-OS, when neighbor authentication is configured, the BGP key is 3DES encrypted in the configuration. Cisco IOS Software requires the service password command to encrypt the password in the configuration. 

 

router bgp 10

neighbor 192.168.10.2 remote-as 11

password 3 a667d47acc18ea6b

address-family ipv4 unicast 

 

Related Information:

MD5 Authentication Between BGP Peers Configuration Example

Implementing BGP on Cisco IOS XR Software

Implementing Keychain Management on Cisco IOS XR Software

Cisco NX-OS/IOS BGP (Basic) Comparison

Loading.

Actions

This Document

Related Content