Configuring BGP4+ Security

Usage Scenario

You can configure the following functions to improve BGP4+ network security:

• MD5 authentication

  BGP4+ uses TCP as the transport protocol and considers a packet valid if the source address, destination address, source port, destination port, and TCP sequence number of the packet are correct. However, most parameters in a packet are easily accessible to attackers. To protect BGP4+ against attacks, configure MD5 authentication for TCP connections established between BGP4+ peers.

  To prevent the MD5 password set on a BGP4+ peer from being decrypted, update the MD5 password periodically.

  

  MD5 authentication is not recommended if high security is required.

• Keychain authentication

  A keychain consists of multiple authentication keys, each of which contains an ID and a password. Each key has a lifecycle, and keys are dynamically selected based on the lifecycle of each key. After a keychain with the same rules is configured on the two ends of a BGP4+ connection, the keychains can dynamically select authentication keys to enhance BGP4+ attack defense.

• TCP-AO authentication

  The TCP authentication option (TCP-AO) is used to authenticate received and to-be sent packets during TCP session establishment and data exchange. It supports packet integrity check to prevent TCP replay attacks. TCP-AO authentication improves the security of the TCP connection between BGP peers and is applicable to the network that requires high security.

• BGP4+ GTSM

  The GTSM mechanism protects the router by checking whether the TTL value in an IP packet header is within a pre-defined range to enhance the system security.

• BGP4+ RPKI

  Resource Public Key Infrastructure (RPKI) improves BGP4+ security by validating the origin ASs of BGP4+ routes.

GTSM supports only unicast addresses. Therefore, configure GTSM on all the routers configured with routing protocols.

Pre-configuration Tasks

Before configuring BGP4+ security, configure basic BGP4+ functions.