Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6765
Views
16
Helpful
3
Replies

Password 7

Patrick McHenry
Level 4
Level 4

‎06-26-2013 11:56 AM - edited ‎03-07-2019 02:05 PM

Hi,

       When you configure a password under BGP and use the "neighbor 1.1.1.1 password password command. How is this hashed? Or is it? When I do a show run it looks to be hashed but, that could only be because I use the service password encryption command. Is the password sent as a hash or clear text?

When I do a show run it looks like so:

neighbor 63.151.46.201 password 7 01520D0B5E0332597608422A5003421BB891N0

Thank you.

Labels:
0 Helpful
3 Replies 3

Harold Ritter
Spotlight
Spotlight

‎06-26-2013 12:15 PM

Hi Patrick,

BGP uses an MD5 hash for authentication.

Regards

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Patrick McHenry
Level 4
Level 4
In response to Harold Ritter

‎06-26-2013 12:18 PM

Thank you, Harold.

So, it uses MD5 hash by default? And I suppose the othe other side is using MD5 by default so it can decrypt?

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Patrick McHenry

‎06-26-2013 01:00 PM

Patrick, Henry,

If I may join your discussion - there are really two issues here.

The first issue is concerned with the way the BGP password is stored in the configuration. The neighbor password command stores the password as the Type-7 password, i.e. encrypted using the weak cipher that is also used to protect most other passwords in the configuration file after the service password-encryption is configured.

The second issue is concerned with the way the BGP uses this password to protect its session. Now, BGP does the authentication in a very original way - it actually protects all TCP segments using the MD5 hash computed over the TCP segment content and this password. The password is never transmitted in cleartext - rather, it is used to produce the overall MD5 hash added to the TCP header. The receiving BGP speaker receives such a protected segment, computes its own MD5 hash using its own configured password and compares it to the hash in the received segment. If the hash matches, the password must be identical and the segment contents are original. Read more about this protection in RFCs 2385 and 5925.

Best regards,

Peter

Customers Also Viewed These Support Documents