USD ($)
$
United States Dollar
India Rupee

BGP Authentication and Troubleshooting

Created by Deepak Sharma in Articles 24 Sep 2024
Share
«What is BGP and How Does it Work?

BGP authentication is a crucial security feature within the Border Gateway Protocol (BGP) that ensures the integrity and authenticity of routing information exchanged between routers.

By implementing BGP authentication mechanisms, network administrators can prevent unauthorized devices from participating in BGP sessions, thus mitigating risks such as route hijacking and incorrect routing updates.

This process typically involves using techniques like MD5 hashing to secure BGP messages, ensuring that only trusted peers can exchange routing information. In this article, we learn how to configure BGP authentication on Cisco Routers.

It is an important concept in Cisco certification training and should be known by network enthusiasts looking to pursue any Cisco certification like CCNP.

BGP Authentication Methods

BGP uses TCP for transport, and because TCP already has a specification for authentication, BGP uses TCP authentication instead of a separate internal mechanism. Specifically, it uses TCP Option 19, which is the MD5 Signature Option. 

There are two primary BGP authentication methods:

1. TCP MD5 Authentication

The primary method historically used for BGP authentication is the TCP MD5 Signature Option (RFC 2385). This approach involves generating a keyed hash using the MD5 algorithm, which is applied to TCP segments exchanged between BGP peers.

When configured, each BGP peer shares a secret key, and any received TCP segment must match the expected hash value to be accepted. If the authentication fails, the BGP session will not be established.

2. TCP Authentication Option (TCP-AO)

An enhancement to this method is the TCP Authentication Option (TCP-AO), introduced in RFC 5925. TCP-AO improves upon TCP MD5 by allowing for more robust authentication mechanisms and enabling key changes without disrupting existing sessions.

This option supports multiple Message Authentication Codes (MACs) and provides better protection against replay attacks, making it more secure than its predecessor.

Configuration Considerations

When configuring BGP authentication, it is crucial to ensure that both peers are using compatible methods (either TCP MD5 or TCP-AO) as they cannot be mixed on a single connection. Additionally, proper configuration of key chains and authentication algorithms is necessary to maintain secure and reliable BGP sessions.


CCNP Live TrainingTrain on CCNP concepts with virtual labs.Explore course
custom banner static image

How to Configure BGP Authentication

Let's look at the steps to configure and verify BGP authentication on Cisco routers. You can follow along with the tutorial on our virtual labs.

In this practical, we will complete some checkpoint tasks, to ensure step-by-step BGP authentication configuration.

Cisco BGP Authentication - Tasks

● Configure BGP on R01, R02, and R03 as per above topology.

● Use BGP ASN's 100, 200, and 300, respectively.

● Advertise the Loopback networks of the routers into BGP.

● R03 should peer with both R01 and R02.

● Configure BGP MD5 Authentication in these peering with the password UNINETS.

Here in this configuration, we are more focused on a scenario where both peers require BGP authentication and perform troubleshooting if required.  

BGP Authentication and Other Configuration Commands

SW1:

!
hostname SW1
!
vlan 13
 name R1-R3
vlan 23
 name R2-R3
!
interface GigabitEthernet0/1
 switchport access vlan 13
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet0/2
 switchport access vlan 23
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast edge trunk
!

R1:

!

hostname R1
!
interface Loopback0
 ip address 150.1.1.1 255.255.255.255
!         
interface GigabitEthernet0/0
 ip address 192.1.13.1 255.255.255.0
 no shutdown
!         
router bgp 100
 network 150.1.1.1 mask 255.255.255.255
 neighbor 192.1.13.3 remote-as 300
 neighbor 192.1.13.3 password UNINETS
!

R2:

!
hostname R2
!
interface Loopback0
 ip address 150.1.2.2 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 192.1.23.2 255.255.255.0
 no shutdown
!
router bgp 200
 network 150.1.2.2 mask 255.255.255.255
 neighbor 192.1.23.3 remote-as 300
 neighbor 192.1.23.3 password UNINETS
!

R3:

!
hostname R3
!
interface Loopback0
 ip address 150.1.3.3 255.255.255.255
!         
interface GigabitEthernet0/0
 no ip address
 no shutdown
!         
interface GigabitEthernet0/0.13
 encapsulation dot1Q 13
 ip address 192.1.13.3 255.255.255.0
!         
interface GigabitEthernet0/0.23
 encapsulation dot1Q 23
 ip address 192.1.23.3 255.255.255.0
!    
router bgp 300
 network 150.1.3.3 mask 255.255.255.255
 neighbor 192.1.13.1 remote-as 100
 neighbor 192.1.13.1 password UNINETS
 neighbor 192.1.23.2 remote-as 200
 neighbor 192.1.23.2 password UNINETS
!

Verify BGP Authentication Configuration

Just like in OSPF md5 authentication types, here also if BGP authentication fails, a peering relationship will not be established. Therefore, the most basic way to verify that BGP authentication is working is to look at the "show ip bgp summary" output and ensure that the peers are up. 

banner image

The fact that prefixes are being received implies that the TCP session is up, but this could be further verified by viewing the BGP table, as seen below: 

banner image

Outside of simply looking at the BGP configuration, authentication can be verified on a per-neighbor basis, as seen below:

banner image

A failure in BGP authentication will trigger a syslog message: Note- It may take a couple of minutes before these log messages appear.

banner image

Note that this is a different error message. If BGP authentication is simply not enabled on the peering, such as seen below: (You may have to reset the BGP neighborship to see these logs) though this is not recommended in the production environment.

banner image

This is an important difference that we will see later when BGP authenticated sessions pass through either the ASA firewall or the IPS sensor because the modifications they make to the IP header and payload will affect the TCP MD5 signature.

BGP Authentication & Configuration - Summing Up

BGP authentication enhances routing security by ensuring that only authorized peers exchange routing information. The primary method is MD5 authentication, which uses a shared password to generate an MD5 hash for TCP segments. Alternatively, TCP Authentication Option (TCP-AO) offers improved security with multiple keys and key lifetimes.

To configure, enter BGP mode, set the neighbor with the password, and verify with "show ip bgp summary". Proper configuration ensures secure communication between BGP peers, protecting against unauthorized access and potential route hijacking.

BGP States: Troubleshoot Active Neighbor»
Deepak Sharma

He is a senior solution network architect and currently working with one of the largest financial company. He has an impressive academic and training background. He has completed his B.Tech and MBA, which makes him both technically and managerial proficient. He has also completed more than 450 online and offline training courses, both in India and ...

More... | Author`s Bog | Book a Meeting

Related Articles

#Explore latest news and articles

What is the BGP Best Path Selection? 26 Sep 2024

What is the BGP Best Path Selection?

Understand BGP best path selection criteria & algorithm based on prefix attributes using weight configuration scenarios on Cisco routers. Read More!
BGP MED Attribute Configuration Example 23 Jun 2024

BGP MED Attribute Configuration Example

Understand the BGP MED attribute using a Practical Scenario Configuration on BGP Lab @ UniNets.
OSPF MD5 Authentication: Securing OSPF 23 Sep 2024

OSPF MD5 Authentication: Securing OSPF

Dive into OSPF MD5 authentication and troubleshooting steps. Discover the importance and setup of OSPF authentication in networks.

FAQ

BGP authentication uses MD5 hashing to verify the integrity of TCP segments exchanged between peers. Each peer must configure the same shared password for successful authentication, preventing unauthorized access.
BGP utilizes TCP Option 19, known as the MD5 Signature Option, for authentication. This method ensures that each TCP segment is authenticated using a shared password between BGP peers.
To verify BGP routes, use the command show ip route bgp. This displays the BGP routing table and confirms that routes are being received from peers.
BGP operates over TCP, specifically using port 179 for establishing peer connections and exchanging routing information.
BGP is a routing protocol used to exchange routing information between autonomous systems on the internet, facilitating path selection and network reachability.

Comments (2)

Dcancerian Student
29 Sep 2023 | 10:28 pm

It is a nice article, I prepared the same topology in GNS and BGP authentication between two peers are working. It is also right that error messages are different when password is not configured and wrong password is configured between bgp peers.
Full marks to the author.

sanchit thareja Student
12 Oct 2023 | 11:40 pm

Hi Deepak, I read your blogs and most of them are with practical scenarios which are helping me to understand the concepts. Please keep doing this job. Thank you!!

Share

Share this post with others

Contact learning advisor

Captcha image
Dussehra Special Sale! 🎉Get up to 60% OFF on our expert-led video courses with Lab!
Dussehra Special Sale! 🎉Get up to 60% OFF on our expert-led video courses with Lab!
Limited-time offer – Grab your opportunity to boost your skills now.
Day
Hr
Min
Sec
Grab Discount