Enabling SSL/TLS Authentication for BGP

To ensure data transmission security on a network, SSL/TLS authentication can be enabled for BGP message encryption.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ssl policy policy-name

    An SSL policy is created, and the SSL policy view is displayed.

    For details about the configuration in the SSL policy view, see Configuring and Binding an SSL Policy.

  3. Run quit

    Return to the system view.

  4. Run bgp { as-number-plain | as-number-dot }

    The BGP view is displayed.

  5. To configure SSL/TLS authentication for BGP, perform the following steps (no sequential order) on the client and server (the priority of the configuration on a peer is higher than that of the configuration on the peer group):

    • To configure a peer or peer group as an SSL client or server, run the peer { group-name | ipv4-address } ssl-policy role { client | server } command.
    • To apply the SSL policy to the SSL client or server, run the peer { group-name | ipv4-address } ssl-policyname ssl-policy-name command.
    • To enable SSL/TLS authentication, run the peer { group-name | ipv4-address } ssl-server certificate command.

      This operation can be performed only on the server.

  6. Run commit

    The configuration is committed.

Verifying the Configuration

After enabling SSL/TLS authentication for BGP, verify the configuration.

Run the display bgp peer [ ipv4-address ] verbose command to check the authentication information of BGP peers.

Parent Topic: Improving BGP Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic