Configuring BGP4+ Authentication

BGP4+ authentication can be configured to enhance security of BGP networks.

Usage Scenario

BGP4+ authentication includes MD5, TCP-AO, and keychain authentication.

MD5 authentication

BGP uses TCP as the transport protocol and considers a packet valid if the source address, destination address, source port, destination port, and TCP sequence number of the packet are correct. However, most parameters in a packet are easily accessible to attackers. To protect BGP against attacks, configure MD5 authentication for TCP connections established between BGP peers.

To prevent the MD5 password set on the BGP peers from being decrypted, update the MD5 password periodically.

MD5 authentication is not recommended if high security is required.
Keychain authentication

A keychain consists of multiple authentication keys, each of which contains an ID and a password. Each key has a lifecycle, and keys are dynamically selected based on the lifecycle of each key. After a keychain with the same rules is configured on the two ends of a BGP connection, the keychains can dynamically select authentication keys to enhance BGP attack defense.
TCP-AO authentication
The TCP authentication option (TCP-AO) is used to authenticate received and to-be sent packets during TCP session establishment and data exchange. It supports packet integrity check to prevent TCP replay attacks. TCP-AO authentication improves the security of the TCP connection between BGP peers and is applicable to the network that requires high security.

BGP MD5 authentication and BGP keychain authentication are mutually exclusive.

Pre-configuration Tasks

Before configuring BGP4+ authentication, configure basic BGP4+ functions.

Procedure

Configure MD5 authentication.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run peer { group-name | ipv6–address } password { cipher cipher-password | simple simple-password }
  The MD5 authentication password is set.
  
  In BGP4+ MD5 authentication, you only need to set MD5 authentication passwords for TCP connections, and the authentication is performed by TCP. If the authentication fails, the TCP connections cannot be established.
  
  An MD5 authentication password can be set in either of the following modes:
  - cipher cipher-password indicates that a password is set by typing a ciphertext.
  - simple simple-password indicates that a password is set by typing a cleartext.
  - The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space.
  - For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.
4. Run commit
  The configuration is committed.
Configure keychain authentication.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run peer { group-name | ipv6–address } keychain keychain-name
  Keychain authentication is configured.
  
  To ensure the setup of a TCP connection and BGP message exchange between both ends of a BGP connection, configure keychain authentication specified for TCP-based applications and the same password and encryption algorithms on both ends.
  
  keychain-name specified in this command must exist before you configure BGP4+ keychain authentication; otherwise, the TCP connection cannot be established. For keychain configuration details, see the "Keychain Configuration" chapter in HUAWEI NetEngine 8000 F Series Configuration Guide - Security.
4. Run commit
  The configuration is committed.
Configure TCP-AO authentication.
1. Run system-view
  The system view is displayed.
2. Run tcp ao tcpaoname
  A TCP-AO is created, and its view is displayed.
3. Run binding keychain kcName
  The TCP-AO is bound to a keychain.
  
  Before performing this step, complete configuring basic keychain functions in Pre-configuration Tasks to create a keychain.
4. Run key-id keyId
  A key ID is created for the TCP-AO, and the TCP-AO key ID view is displayed.
5. Run send-id sndId receive-id rcvId
  send-id and receive-id are configured for the Key ID.
6. Run quit
  The upper-level view is displayed.
7. Run quit
  Return to the system view.
8. Run bgp as-number
  The BGP view is displayed.
9. Run peer ipv4-address as-number as-number
  The IP address of a peer and the number of the AS where the peer resides are specified.
10. Run peer peerIpv4Addr tcp-ao policy tcp-ao-name
  TCP-AO authentication is configured for the TCP connection to be set up between BGP peers. The value of the tcp-ao-name parameter must be set to the TCP-AO created in step 2.
  
  For the same peer, the authentication modes TCP-AO, MD5, and keychain are mutually exclusive.
11. Run commit
  The configuration is committed.

Checking the Configuration

# A peer relationship can be set between two peers that have the same authentication information. Run the display bgp ipv6 peer command to check the peer relationship status.