03-09-2017 03:14 AM - edited 03-05-2019 08:09 AM
Hello guys,
When authentication is configured between two bgp peers at which bgp state router checks for password prior to neighborship between the peers?
As per few documents authentication information is carried in open message, but tcp connection takes place with authentication and
when there is password mismatch between peers tcp connection doesn't come up.
Also in case of successful peering with authentication, I didn't find any authentication info in open message using packet capture.
Just curious to know how the authentication works during bgp neighborship between peers.
Hope the query is clear enough and awaiting for the reply.
Thanks.
03-09-2017 06:36 AM
Hi,
BGP uses TCP authentication by using an MD5 signature that is carried in the TCP option field. This MD5 signature is present in every single TCP packet, including the initial TCP SYN message to port 179..
If there is a MD5 signature mismatch then the peer setup will fail during the TCP 3-way handshake before open messages can even be sent.
You can see the MD5 signature in a packet capture under the TCP options. See attached.
Hope this helps
03-09-2017 11:38 PM
Hi,
Thanks for your reply Will. Agree with you. Authentication is checked while tcp connection.
but as per rfc1771, authentication information is also carried in option field of BGP open message.
but I did not find such information in open message when bgp peers are up after successful authentication. Can anyone please explain this?
Thanks,
Onkar
03-10-2017 12:15 AM
Ok understood. From my understanding BGP only uses transport level authentication. Maybe this was optional and something that was never implemented. Someone else will need to confirm.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide