Introduction:
BGP is different than the other routing protocols (EIGRP,OSPF) because you must explicitly configure the peer relationships between routers. These peers then use point-to-point TCP connections to exchange information. So it is much more difficult for a malicious user to surreptitiously establish a peer relationship with one of your routers and corrupt your routing tables. But it is still possible to hijack an existing TCP connection between two BGP peers and inject bad routes. And if the attackers are on the same network segment as one of the peers, they can potentially hijack the IP address of the legitimate peer and set up a new BGP session.
With authentication, this type of attack is considerably more difficult. This is because the attacker must not only get the TCP sequence numbers right, but he must also insert the correct encrypted authentication key.
Configuring BGP Authentication on Cisco IOS:
Border Gateway Protocol (BGP) supports authentication mechanism using Message Digest 5 (MD5) algorithm. When authentication is enabled, any Transmission Control Protocol (TCP) segment belonging to BGP exchanged between the peers is verified and accepted only if authentication is successful. For authentication to be successful, both the peers must be configured with the same password. If authentication fails, the BGP neighbor relationship is not be established.
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.80 remote-as 100
neighbor 80.80.80.80 password cisco
Configuring BGP Authentication on Cisco IOS XR:
Configuration steps to enables Message Digest 5 (MD5) authentication on the TCP connection between the two BGP neighbors.
router bgp 100
neighbor 10.1.1.1
remote-as 1
password { clear | encrypted } password
end
commit
Configuring Keychains for BGP:
BGP uses TCP authentication, which enables the authentication option and sends the Message Authentication Code (MAC) based on the cryptographic algorithm configured for the keychain.The routing protocols each support a different set of cryptographic algorithms, Border Gateway Protocol (BGP) supports only HMAC-MD5 and HMAC-SHA1-12.
key chain keychain_A
key 1
cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1]
router bgp 140
neighbor 172.20.1.1
remote-as 1
keychain keychain_A
end
commit
Configuring BGP Authentication on Cisco IOS XR:
In Cisco NX-OS, when neighbor authentication is configured, the BGP key is 3DES encrypted in the configuration. Cisco IOS Software requires the service password command to encrypt the password in the configuration.
router bgp 10
neighbor 192.168.10.2 remote-as 11
password 3 a667d47acc18ea6b
address-family ipv4 unicast
Related Information:
MD5 Authentication Between BGP Peers Configuration Example
Implementing BGP on Cisco IOS XR Software
Implementing Keychain Management on Cisco IOS XR Software
Cisco NX-OS/IOS BGP (Basic) Comparison