The peer password command enables a BGP device to implement Message Digest 5 (MD5) authentication for BGP messages exchanged during the establishment of a TCP connection with a peer.
The undo peer password command disables a BGP device to implement Message Digest 5 (MD5) authentication for BGP messages exchanged during the establishment of a TCP connection with a peer.
By default, the BGP device to implement Message Digest 5 (MD5) authentication for BGP messages exchanged during the establishment of a TCP connection with a peer is disabled.
| Parameter | Description | Value |
|---|---|---|
| ipv6-address |
Specifies the IPv6 address of a peer. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| simple simple-password |
Specifies a cleartext password. For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password. |
The value is a string of 1 to 255 case-sensitive characters, without spaces. Except the question mark (?) and space. However, when quotation marks (") are used around the password, spaces are allowed in the password. |
| cipher cipher-password |
Specifies a ciphertext password. |
In the case of a plain text, the value is a string of 1 to 255 case-sensitive characters, without spaces. In the case of a cipher text password, the value is a string of 20 to 432 case-sensitive characters, without spaces. Except the question mark (?) and space. However, when quotation marks (") are used around the password, spaces are allowed in the password. |
Usage Scenario
BGP uses TCP as the transport layer protocol. To enhance BGP security, MD5 authentication can be implemented for BGP packets exchanged during the establishment of a TCP connection. MD5 authentication sets the MD5 authentication password for the TCP connection, and the authentication is performed by TCP.
A password can be set either in cipher text or plain text. A plain text password is a configured character string that is directly recorded in a configuration file. A cipher text password is a character string that is encrypted by using a special algorithm and then recorded in a configuration file.Prerequisites
The peer as-number command has been used to create a peer.
Configuration Impact
BGP uses TCP as the transport layer protocol. To enhance BGP security, MD5 authentication can be implemented for BGP packets exchanged during the establishment of a TCP connection. MD5 authentication, however, does not authenticate BGP packets. Instead, it sets the MD5 authentication password for the TCP connection, and the authentication is performed by TCP. If authentication fails, no TCP connection is established.
Precautions
The encryption algorithms MD5 has a low security, which may bring security risks. If protocols allowed, using more secure encryption algorithms.
MD5 authentication and Keychain authentication are mutually exclusive on a peer. If the passwords of BGP peers at both ends are the same, the BGP peer relationship will not be re-established. If the interval configurations at both ends exceed the BGP peer hold time or passwords at both ends are different, the BGP peer relationship is disconnected due to timeout. If you want to add a BGP peer on which the peer password command has been run to a peer group on which the command has also been run and enable the BGP peer to inherit the authentication configuration of the peer group, run the undo peer password command first before running the peer group command to add the BGP peer to the peer group. The space is not allowed in the password.<HUAWEI> system-view [~HUAWEI] ip vpn-instance vpna [*HUAWEI-vpn-instance-vpna] ipv6-family [*HUAWEI-vpn-instance-vpn1-af-ipv6] route-distinguisher 100:1 [*HUAWEI-vpn-instance-vpna-af-ipv6] quit [*HUAWEI-vpn-instance-vpna] quit [*HUAWEI] bgp 100 [*HUAWEI-bgp] ipv6-family vpn-instance vpna [*HUAWEI-bgp-6-vpna] peer 2001:DB8:1::1 as-number 100 [*HUAWEI-bgp-6-vpna] peer 2001:DB8:1::1 password cipher XXX