https://community.cisco.com/t5/network-access-control/md5-authentication-in-bgp/m-p/229715#M3111 <P>Is MD5 authentication in BGP authenticates all types of BGP message, including KEEPALIVE, OPEN?</P><P></P><P>If yes, does it mean that BGP will put the link in down status if the remote router do not have the password set correctly?</P><P></P><P>Thanks</P> Fri, 21 Feb 2020 18:10:27 GMT Norris_Yu 2020-02-21T18:10:27Z https://community.cisco.com/t5/network-access-control/md5-authentication-in-bgp/m-p/229715#M3111 <P>Is MD5 authentication in BGP authenticates all types of BGP message, including KEEPALIVE, OPEN?</P><P></P><P>If yes, does it mean that BGP will put the link in down status if the remote router do not have the password set correctly?</P><P></P><P>Thanks</P> Fri, 21 Feb 2020 18:10:27 GMT https://community.cisco.com/t5/network-access-control/md5-authentication-in-bgp/m-p/229715#M3111 Norris_Yu 2020-02-21T18:10:27Z https://community.cisco.com/t5/network-access-control/md5-authentication-in-bgp/m-p/229716#M3112 <HTML><HEAD></HEAD><BODY><P>Yes the BGP message header includes a field for authentication. If the password doesn't match or is only configured on side, it simply does not form a neighbor relationship or in the case of an existing relationship it will tear it down. But the link (interface) remains up, just no BGP per across it.</P></BODY></HTML> Wed, 09 Jun 2004 19:34:22 GMT https://community.cisco.com/t5/network-access-control/md5-authentication-in-bgp/m-p/229716#M3112 mvalentine 2004-06-09T19:34:22Z https://community.cisco.com/t5/network-access-control/md5-authentication-in-bgp/m-p/229717#M3113 <HTML><HEAD></HEAD><BODY><P>Thanks! </P><P></P><P>If the neighbor relationship dropped, will BGP remove all routes, with the destination pointed to that neighbor, from its routing table even the interface remained up?</P><P></P><P>What I concern is whenever the remote router spoofed by someone (without valid password), will the traffic go to that spoofed router from my router. </P><P></P></BODY></HTML> Thu, 10 Jun 2004 00:30:18 GMT https://community.cisco.com/t5/network-access-control/md5-authentication-in-bgp/m-p/229717#M3113 Norris_Yu 2004-06-10T00:30:18Z https://community.cisco.com/t5/network-access-control/md5-authentication-in-bgp/m-p/229718#M3114 <HTML><HEAD></HEAD><BODY><P>If the neighbor relationship drops BGP will withdraw the routes from the routing table even if the interface is up. </P><P></P><P>If the remote router is spoofed by someone without a vaild password, it will never establish a neighbor relationship with that router so it won't route to it</P><P></P><P>If you're really concerned about bgp security you may wish to use md5 auth in addition to BGP ttl security checks. Here's a link for the ttl security</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a008020e6f5.html" target="_blank">http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a008020e6f5.html</A></P><P></P><P></P></BODY></HTML> Thu, 10 Jun 2004 12:33:15 GMT https://community.cisco.com/t5/network-access-control/md5-authentication-in-bgp/m-p/229718#M3114 mvalentine 2004-06-10T12:33:15Z