MD5 Authentication Between BGP Peers on Cisco Device
by Mayukh Mandal, Network Security Engineer, Rackspace Technology
Introduction
The Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing information across autonomous systems (AS) on the Internet. As BGP is mostly used over internet, it is essential to keep the network secure.
BGP peers can be configured with an MD5 algorithm (introduced in RFC 2385) which support routing authentication. When MD5 authentication is enabled, it computes an MD5 cryptographic hash over the TCP “pseudo header”, which includes the IP addresses used, the BGP packet carried in the TCP segment and a secret password. The resulting MD5 hash is then put in a TCP option in the TCP header and the packet is sent on its way (The password isn’t transmitted.) The other side performs the same MD5 calculation and checks the result against the MD5 hash in the TCP header. If the two MD5 hashes are same, then we can be reasonably sure of two things:
1. The sender of the packet also knows the secret password
2. The TCP segment and its contents weren’t modified during transit
If any attacker sends spoofed TCP reset packets, the MD5 hash will be missing, or it will be incorrect. The router simply ignores those packets and the BGP session is unaffected.
Overview
There are a few steps that need to be performed to complete this activity. Such as, creating network topology, configure hostname, configure interface IP, Configure External Border Gateway Protocol (EBGP) between Site A & site B, configure MD5 authentication, verification, and troubleshooting.
Topology
Configuration
Site A:
Router#conf t
Router(config-if)#hostname siteA
siteA(config)#interface gig0/0
siteA(config-if)#ip address 192.168.1.100 255.255.255.0
siteA(config)# no shut
siteA(config)#interface loopback 1
siteA(config-if)#ip address10.10.10.1 255.255.255.0
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
siteA(config-if)#router bgp 100
siteA(config-router)#neighbor 192.168.1.101 remote-as 200
siteA(config-router)#%BGP-5-ADJCHANGE: neighbor 192.168.1.101 Up
siteA(config-router)#neighbor 192.168.1.101 password cisco123
siteA(config-router)#network 10.10.10.1 mask 255.255.255.0
Site B:
Router#conf t
Router(config)#hostname siteB
siteB(config-if)#ip address 192.168.1.101 255.255.255.0
siteB(config-if)#no shut
siteB(config)#interface loopback 1
siteB(config-if)#ip address 20.20.20.1 255.255.255.0
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0,
changed state to up
siteB(config)#router bgp 200
siteB(config-router)#neighbor 192.168.1.100 remote-as 100
siteB(config-router)#%BGP-5-ADJCHANGE: neighbor 192.168.1.100 Up
siteB(config-router)#neighbor 192.168.1.101 password cisco123
siteB(config-router)#network 20.20.20.1 mask 255.255.255.0
Verification
When BGP is configured with MD5 & neighborship is formed, then it implies that authentication is working perfectly, otherwise neighborship won’t be formed & you will be able to ping another end network.
`$ sqlplus system/[system password] \
`@$AU_TOP/patch/115/sql/auclondb.sql 12`
siteA#sh ip bgp summary
BGP router identifier 10.10.10.1, local AS number 100
BGP table version is 5, main routing table version 6
2 network entries using 264 bytes of memory
2 path entries using 104 bytes of memory
1/1 BGP path/bestpath attribute entries using 184 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 632 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs
`Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.1.101 4 200 73 72 5 0 0 00:48:41 4
siteA#ping - 192.168.1.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
siteA#ping 20.20.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
siteB#sh ip bgp summary
BGP router identifier 20.20.20.1, local AS number 200
BGP table version is 6, main routing table version 6
2 network entries using 264 bytes of memory
2 path entries using 104 bytes of memory
1/1 BGP path/bestpath attribute entries using 184 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 632 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.1.100 4 100 79 75 6 0 0 00:51:10 4
siteB#ping: 192.168.1.100
Type escape sequence to abort.
`Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:`
`!!!!!`
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
siteB#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
Troubleshooting
Peering succeeds only if both routers are configured for authentication and have the same password. If a router has a password configured for a neighbor, but the neighbor router does not, then the following message is displayed on the console while the routers attempt to establish a BGP session between them:
%TCP-6-BADAUTH: No MD5 digest from [peer's IP address]:11003 to
[local router's IP address]:179
Similarly, if the two routers have different passwords configured, the following message will pop on the screen:
%TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP
address]:11004 to [local router's IP address]
Conclusion
By following the above steps, you can easily configure BGP with the MD5 authentication. However, you should always implement other security & compliance mechanisms as a layered structure to strengthen the overall network security.
Recent Posts
Padrões de rede híbrida do Google Cloud - Parte 2
Outubro 16th, 2024
Padrões de rede híbrida do Google Cloud - Parte 2
Outubro 15th, 2024
How Rackspace Leverages AWS Systems Manager
Outubro 9th, 2024
O Windows Server impede a sincronização da hora com o Rackspace NTP
Outubro 3rd, 2024