Configuring TCP-AO Authentication
This section describes how to configure BGP TCP Authentication Option (TCP-AO) authentication to check the integrity of packets and prevent TCP replay attacks.
Context
The TCP-AO is used to authenticate received and to-be sent packets during TCP session establishment and data exchange. It supports packet integrity check to prevent TCP replay attacks. After creating a TCP-AO, run the peer tcp-ao policy command in the BGP view and specify the peer that needs to reference the TCP-AO and the TCP-AO name. This enables the BGP session to be encrypted. Such configuration is applicable to networks that require high security. Different peers can reference the same TCP-AO.
Procedure
- Run system-view
The system view is displayed.
- Run tcp ao tcpaoname
A TCP-AO is created, and its view is displayed.
- Run binding keychain kcName
The TCP-AO is bound to a keychain.
Before performing this step, complete configuring basic keychain functions in Pre-configuration Tasks to create a keychain.
- Run key-id keyId
A key ID is created for the TCP-AO, and the TCP-AO key ID view is displayed.
- Run send-id sndId receive-id rcvId
send-id and receive-id are configured for the Key ID.
- Run quit
The upper-level view is displayed.
- Run quit
The system view is displayed.
- Run bgp as-number
The BGP view is displayed.
- Run peer ipv4-address as-number as-number
The IP address of a peer and the number of the AS where the peer resides are specified.
- Run peer peerIpv4Addr tcp-ao policy tcp-ao-name
TCP-AO authentication is configured for the TCP connection to be set up between BGP peers.
The value of the tcp-ao-name parameter must be set to the TCP-AO created in step 2.
For the same peer, the authentication modes TCP-AO, MD5, and keychain are mutually exclusive.
- Run commit
The configuration is committed.