Authenticating BGP Peers

Problem

You want to ensure that all BGP protocol traffic that your router accepts from external ASs comes from devices known to you.

Solution

Configure MD5 authentication for your EBGP sessions:

[edit protocols bgp group session-to-AS65505 ] aviva@RouterF# set authentication-key 1991$pOppi

Discussion

Many external attacks launched against routing protocols are directed at BGP. Authenticating BGP packet exchanges on EBGP sessions prevents the router from accepting any authorized packets. The JUNOS BGP software supports MD5 cryptographic authentication.

This recipe configures MD5 authentication on the EBGP session to AS 65505. You simply need to configure an MD5 key in the EBGP group. The peer router in this EBGP session must have the same key. Because the peer router is in another AS that is likely under the control of a different administrator or ISP, you need to agree on the authentication key with the remote administrator beforehand. From the key, MD5 creates an encoded checksum that is included in all transmitted BGP packets. The receiving router verifies this checksum before accepting the packet.

You can configure BGP authentication globally, per group, or per peer. It is a good practice to use per-peer authentication for external peers, with a unique key for each customer. This prevents the possibility of a single leaked key compromising all customer peering points.

Another good practice is to change authentication keys periodically, on the order of every three to six months, to prevent the key from leaking either intentionally or accidentally.

If your IBGP peer routers are all within your domain and are trusted routers, you can choose not to enable BGP authentication on them. Otherwise, you should configure authentication for all IBGP sessions, in the same way as for EBGP sessions, to prevent any attacks by dropping BGP packets that do not contain the correct authentication parameters.

When you display the routers configuration after you have typed the password, you see only the encrypted form of the password. Someone casually glancing through the configuration would not see the actual password.

[edit protocols bgp group session-to-AS65505 ] aviva@RouterF# show group session-to-AS65505 { type external; description "EBGP to Customer A"; authentication-key "$9$FBDdnApO1RSlKB1dbYgJZApu0hS"; ## SECRET-DATA peer-as 65505; neighbor 10.0.31.1 { …

Looking at the BGP information about the neighbor shows that authentication is configured:

aviva@RouterF> show bgp neighbor 10.0.31.1 Peer: 10.0.31.1+179 AS 65505 Local: 10.0.31.2+2259 AS 65500 Description: EBGP to Customer A Type: External State: Established Flags: Last State: OpenConfirm Last Event: RecvKeepAlive Last Error: None Export: [ send-statics ] Options:

Authentication key is configured …

To hide the keys when you are looking at the configuration contents, pipe the output:

aviva@RouterF> show configuration protocols bgp | except SECRET-DATA group session-to-AS65505 { type external; description "EBGP to Customer A"; peer-as 65505; neighbor 10.0.31.1 { …

Notice that the entire authentication-key statement is not displayed because all the authentication information is on one line in the configuration.

See Also

RFC 2385, Protection of BGP Sessions via the TCP MD5 Signature Option

Категории