Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
59483
Views
10
Helpful
0
Comments

Configuring Authentication For BGP

TCC_2
Level 10
Level 10

‎06-22-2009 06:15 PM - edited ‎03-01-2019 04:20 PM

Introduction:

BGP is different than the other routing protocols (EIGRP,OSPF) because you must explicitly configure the peer relationships between routers. These peers then use point-to-point TCP connections to exchange information. So it is much more difficult for a malicious user to surreptitiously establish a peer relationship with one of your routers and corrupt your routing tables. But it is still possible to hijack an existing TCP connection between two BGP peers and inject bad routes. And if the attackers are on the same network segment as one of the peers, they can potentially hijack the IP address of the legitimate peer and set up a new BGP session.

With authentication, this type of attack is considerably more difficult. This is because the attacker must not only get the TCP sequence numbers right, but he must also insert the correct encrypted authentication key.

Configuring BGP Authentication on Cisco IOS:

Border Gateway Protocol (BGP) supports authentication mechanism using Message Digest 5 (MD5) algorithm. When authentication is enabled, any Transmission Control Protocol (TCP) segment belonging to BGP exchanged between the peers is verified and accepted only if authentication is successful. For authentication to be successful, both the peers must be configured with the same password. If authentication fails, the BGP neighbor relationship is not be established.

router bgp 100

no synchronization

bgp log-neighbor-changes

neighbor 80.80.80.80 remote-as 100

neighbor 80.80.80.80 password cisco

 

Configuring BGP Authentication on Cisco IOS XR:

Configuration steps to enables Message Digest 5 (MD5) authentication on the TCP connection between the two BGP neighbors.

router bgp 100

neighbor 10.1.1.1

remote-as 1

password { clear | encrypted } password

end

commit

 

Configuring Keychains for BGP:

BGP uses TCP authentication, which enables the authentication option and sends the Message Authentication Code (MAC) based on the cryptographic algorithm configured for the keychain.The routing protocols each support a different set of cryptographic algorithms, Border Gateway Protocol (BGP) supports only HMAC-MD5 and HMAC-SHA1-12.

key chain keychain_A

key 1

cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1]

router bgp 140

neighbor 172.20.1.1

remote-as 1

keychain keychain_A

end

commit

Configuring BGP Authentication on Cisco IOS XR:

In Cisco NX-OS, when neighbor authentication is configured, the BGP key is 3DES encrypted in the configuration. Cisco IOS Software requires the service password command to encrypt the password in the configuration. 

 

router bgp 10

neighbor 192.168.10.2 remote-as 11

password 3 a667d47acc18ea6b

address-family ipv4 unicast

 

Related Information:

MD5 Authentication Between BGP Peers Configuration Example

Implementing BGP on Cisco IOS XR Software

Implementing Keychain Management on Cisco IOS XR Software

Cisco NX-OS/IOS BGP (Basic) Comparison

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents