What is BGP Peers MD5 Authentication? Explained with Example

By | 9th November 2015
md5 authentication for bgp peers

How To Authenticate MD5 for BGP Peers

You can authenticate your BGP peer connection to help prevent interference with your routing tables.

The BGP protocol includes an MD5-based authentication system for authenticating peers relationship.

To enable MD5 authentication for BGP peers, use the command:

 neighbor {ip-address | peer-group-name} password string command under the BGP router configuration mode.

We use the network topology below as an example:

md5 authentication for bgp peers



Configuration Example:

RHQ#configure t

RHQ(config)#router bgp 3500

RHQ(config-router)#neighbor 10.10.10.2 remote-as 3501

RHQ(config-router)#neighbor 10.10.10.2 password orbitA1F173D24

RHQ(config-router)#end

The same Authentication password must be configured on both routers:

RBRANCH#configure t

RBRANCH(config)#router bgp 3501

RBRANCH(config-router)#neighbor 10.10.10.1 remote-as 3500

RBRANCH(config-router)#neighbor 10.10.10.1 password orbitA1F173D24

RBRANCH(config-router)#end

Border Gateway Protocol (BGP) routing peers can be configured with Message Digest 5 (MD5) algorithm which is used to support routing authentication. The Message Digest 5 (MD5) authentication is a standard part of BGP Version 4 that was introduced in RFC 2385.

When Message Digest 5 authentication is enabled on BGP peers, any routing segment via Transmission Control Protocol (TCP) exchanged between BGP peers is verified and established. BGP peers must be configured with the same password for BGP neighbor relationship or connection to be established.

BGP authentication can be very useful because it makes it more difficult for an authorized or malicious user to disrupt your network routing tables. It will even be significantly difficult when your router has been enabled with the service password-encryption global configuration command which enables the router to store the command using the Cisco proprietary type 7 encryption:

!

router bgp 3500

neighbor 10.10.10.2 remote-as 3501

neighbor 10.10.10.2 password 7 15020A1F173D24362C7E64704053

!

With authentication of this type, network attack is considerably more difficult. This is because the attacker must not only get the TCP sequence numbers right, but he must also insert the correct encrypted authentication key.

How To Configure eBGP Multihop

External Border Gateway Protocol (eBGP)

Internal Border Gateway Protocol (iBGP)

Configuring BGP Using Loopback Address

Leave a Reply

Your email address will not be published. Required fields are marked *