cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
451
Views
0
Helpful
3
Replies

Audit issue response to BGP/EIGRP authentication

dennisbrower
Level 1
Level 1

I have to respond to an audit issue about BGP/EIGRP authentication. In my network we use multiple VLAN's and distribute routes to the rest of my sites via BGP. The auditors want me to add authentication to BGP to prevent someone from connecting a router to one of my switches and inserting false routes. I only setup my router to switch connections for trunking all other switch connections are setup as access, won't this keep a malicious router from connecting to my network?

3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

That is not uncommon for security/auditors to ask to add authentication to your routing protocols.  In this case you can simply add authentication between your BGP peers.

HTH

Reza, If I setup authentication on my router, which is part of the cloud backbone supplied by our Telco vendor, wouldn't the vendor also have to configure authentication on their end with a shared key I would provide. Sorry for the newbie question I am still learning.

Peter Paluch
Cisco Employee
Cisco Employee

Hi Dennis,

You have to keep in mind that a malicious router can connect to an access port and still talk to anyone else within the access VLAN of that port. An access port is not a prevention against malicious routers.

That being said, I find the auditor's request about "BGP authentication" to be misleading. Wasn't that meant to be EIGRP authentication instead? In BGP, you can only set up authentication for neighbors you have already configured. You cannot configure authentication in BGP for those neighbors you have not configured statically. In addition, not configuring a particular address as a BGP neighbor is in itself sufficient to prevent that IP address from talking BGP to your router and injecting false routes.

Best regards,
Peter