BGP Neighbor Authentication

One of the easiest ways to reduce security risks on a BGP network is to use BGP peer authentication. The Cisco implementation of BGP uses the TCP MD-5 signature as specified in RFC 2385. This algorithm takes a key, the password entered during configuration, and performs an MD-5 hash on th e key, and sends the resulting hash to the remote peer. The password itself is never sent over the connection.

Only one configura tion step) is required to use BGP MD-5 password authentication; that step is enabling password authentication on a peer-by-peer basis using the neighbor ip-address password password command, shown here:

neighbor {ip-address|peer-group} password [0-7]password-string

This command also has an optional parameter, which enables you to use a previously encrypted password by specifying the password level of 7, as follows:

SlyDog(config-router)#neighbor 8.8.9.1 password 7 1511021F0725

Both sides of an authenticated BGP peer session must use the same password. If a router receives e BGP OPEN message with an i nvalid passworg, it sends a NOTIFICATION message with the OPEN message eeror stating than !here has be en an authen ticat ion failute. Examp lea 9 -1 Shows how pas sword auth eoricntion is used to prat ect a shssio n between two E-BGP peers.

0 0

Post a comment