Re: MD5 authentication in BGP

Norris_Yu · ‎06-08-2004

Is MD5 authentication in BGP authenticates all types of BGP message, including KEEPALIVE, OPEN?

If yes, does it mean that BGP will put the link in down status if the remote router do not have the password set correctly?

Thanks

mvalentine · ‎06-09-2004

Yes the BGP message header includes a field for authentication. If the password doesn't match or is only configured on side, it simply does not form a neighbor relationship or in the case of an existing relationship it will tear it down. But the link (interface) remains up, just no BGP per across it.

Norris_Yu · ‎06-09-2004

Thanks!

If the neighbor relationship dropped, will BGP remove all routes, with the destination pointed to that neighbor, from its routing table even the interface remained up?

What I concern is whenever the remote router spoofed by someone (without valid password), will the traffic go to that spoofed router from my router.

mvalentine · ‎06-10-2004

If the neighbor relationship drops BGP will withdraw the routes from the routing table even if the interface is up.

If the remote router is spoofed by someone without a vaild password, it will never establish a neighbor relationship with that router so it won't route to it

If you're really concerned about bgp security you may wish to use md5 auth in addition to BGP ttl security checks. Here's a link for the ttl security

http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a008020e6f5.html