Re: BGP Password MD5

SSubbiah · ‎08-18-2004

I am just wondering how to secure the iBGP and eBGP sessions using MD5 and Passwords. If there are any documents, please forward the same.

Thanks in Advance

Harold Ritter · ‎08-18-2004

I'm not sure what kind of information you need. As long as you use the "neighbor password ", with password being the same on both side of any given session,it should work. Could you elaborate on what you are looking for.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

SSubbiah · ‎08-19-2004

I tried the above example between my iBGP peers and I am getting MD5 Auth failure. However if I clear my bgp sessions, the connection is getting established. Is this a cosmetic bug or something?

SSubbiah · ‎08-19-2004

4w4d: %TCP-6-BADAUTH: Invalid MD5 digest from 10.3.200.50(179) to IP Address (11018)

4w4d: %TCP-6-BADAUTH: Invalid MD5 digest from 10.3.200.50(179) to IP Address(11018)

Harold Ritter · ‎08-19-2004

These messages are not for the current session but rather for the one being torn down. You can validate that by doing a "sh ip bgp nei 10.3.200.50" and will see that the current session uses a different port number.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

spremkumar · ‎08-18-2004

Hi

In addition to harolds comments if you have enough H/W resources in place do work with authentication to avoid any kind of Denial of Service (DoS) attack from any malformed packet .

Heard today about DOS Attack becoz of malformed ospf packet in some IOS codes...not heard anything about bgp on the same line.

may be enabling auth in bgp session in advance will help to get rid of these attacks.

do find the link on the same (bgp auth) ..

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca763.html#wp1002189

regds

nsheridan · ‎09-13-2004

Just thought I'd add my pennies worth...

If you authenticate BGP through a PIX as it randomises the sequence number in the TCP header by default, you have to turn this off using the norandomseq on the NAT - the MD5 checksum fails as the packet get slightly changed. Smoke and mirrors stuff i suppose, thought it might save you some time if you come across this kind of set up in future.

SSubbiah · ‎09-13-2004

Thanks for the note. In my case, I am not doing any NAT. In my case, the Firewall is checkpoint NG AI R55 with the smartdefense running.