Ok understood. From my

onkaryesane92 · ‎03-09-2017

Hello guys,
When authentication is configured between two bgp peers at which bgp state router checks for password prior to neighborship between the peers?
As per few documents authentication information is carried in open message, but tcp connection takes place with authentication and
when there is password mismatch between peers tcp connection doesn't come up.
Also in case of successful peering with authentication, I didn't find any authentication info in open message using packet capture.
Just curious to know how the authentication works during bgp neighborship between peers.
Hope the query is clear enough and awaiting for the reply.

Thanks.

willwetherman · ‎03-09-2017

Hi,

BGP uses TCP authentication by using an MD5 signature that is carried in the TCP option field. This MD5 signature is present in every single TCP packet, including the initial TCP SYN message to port 179..

If there is a MD5 signature mismatch then the peer setup will fail during the TCP 3-way handshake before open messages can even be sent.

You can see the MD5 signature in a packet capture under the TCP options. See attached.

Hope this helps

onkaryesane92 · ‎03-09-2017

Hi,

Thanks for your reply Will. Agree with you. Authentication is checked while tcp connection.

but as per rfc1771, authentication information is also carried in option field of BGP open message.

but I did not find such information in open message when bgp peers are up after successful authentication. Can anyone please explain this?

Thanks,

Onkar

willwetherman · ‎03-10-2017

Ok understood. From my understanding BGP only uses transport level authentication. Maybe this was optional and something that was never implemented. Someone else will need to confirm.

During which bgp state neighbor authentication check takes place?