Monday, April 4, 2011

BGP Neighbor Authentication

BGP neighbor authentication can be configured on a BGP router to authenticate the source of every BGP packets that it receives. This is accomplished exchanging a message digest or hash of the authenticating key or password that is known to both the sending and receiving routers. The authenticating key itself is not sent to prevent it from being captured by eavesdroppers.

The neighbor {ip-addr | peer-group-name} password {string} BGP router subcommand enable MD5 authentication on a TCP connection between 2 BGP peers. The string is a case-sensitive password of up to 25 characters and 81 characters when the service password-encryption global configuration command is enabled and disabled respectively. The 1st character cannot be a number. The string can contain any alphanumeric characters, including spaces. However, it cannot be specified in the number-space-anything format. A space after a number can cause authentication to fail. Any combination of the following symbolic characters can be used along with the alphanumeric characters:
` ~ ! @ # $ % ^ & * ( ) - _ = + | \ } ] { [ “ ‘ : ; / > < . , ?
Note: When the service password-encryption global configuration command is configured, the password is stored and displayed in the Type-7 encryption format.

Upon enabling BGP neighbor authentication, BGP routers generates and verify the MD5 digest of every TCP segment communicated across the established TCP connection between them.

If the authentication key is configured wrongly, the BGP peering session will not be established. Always enter the authentication key carefully and verify that the peering session is established after configured authentication.

When configuring or changing the password authentication key in an established BGP session, the local router will not tear down the existing session after configured the password. The local router will attempt to maintain the peering session using the new password until the BGP holddown timer expires. The default hold time is 180 seconds. If the password is not configured or changed on the remote router before the holddown timer expires, the session will time out and terminate.
Note: Configuring a new holddown timer value will only take effect after the session is reset. It is impossible to change the holddown timer value to avoid resetting the BGP session.

No comments:

Post a Comment