INTRODUCTION :
This Document Describes How To Configure Message Digest5 (MD5) Authentication On A TCP Connection Between Two BGP Peers. RFC 2385 Talks About TCP Option 19 Which Is Basically Used For Authentication.
You Can Configure MD5 Authentication Between Two BGP Peers, Meaning That Each Segment Sent On The TCP Connection Between The Peers Is Verified.
WHAT IS BGP MD5 (MESSAGE DIGEST) AUTHENTICATION?
Cisco Internetworking Operating System Software (IOS) Can Employ MD5 Authentication To Protect Border Gateway Protocol (BGP) Connections. The TCP MD5 Option Is Available In Most BGP Implementations. Configuring MD5 Authentication Causes The Cisco IOS Software To Generate And Check The MD5 Digest Of Every Segment Sent On The TCP Connection. Since BGP Uses TCP As Its Transport Protocol.
The Idea Behind This Feature Is That To Every Packet In A TCP Session A Field Is Added With The MD5 Checksum Of The Packet Contents And A Secret Key.
MD5 Authentication Must Be Configured With The Same Password On Both BGP Peers And At The Same Time. For Authentication To Be Successful, Both The Peers Must Be Configured With The Same Password. If This Is Not Done, The Existing BGP Session Will Fail And A New Session Will Not Be Established Until The Same Secret Is Configured On Both Devices. Otherwise, The Connection Between Them Will Not Be Made.
Without Knowing The Key, It Is Near Impossible To Construct A Packet With A Valid Signature. Since BGP Speakers Will Immediately Discard Packets Without A Signature Or With An Invalid Signature, The Types Of Attacks Described Above Cannot Be Executed Without Knowing The Key.
NEIGHBOR MD5 (MESSAGE DIGEST) AUTHENTICATION PASSWORD :
To Enable MD5 Authentication On A TCP Connection Between Two BGP Peers, Use The Neighbor Password Command In Router Configuration Mode. To Disable This Function, Use The No Form Of This Command.
TO ENABLE MD5 (MESSAGE DIGEST) AUTHENTICATION (COMMAND UNDER THE BGP ROUTER CONFIGURATION MODE:
Neighbor {Ip-Address | Peer-Group-Name} Password String
TO REMOVE/DISABLE THE PASSWORD:
No Neighbor {Ip-Address | Peer-Group-Name} Password
SYNTAX DESCRIPTION
Ip-Address - > Ip-Address
Peer-Group-Name - > Name Of A BGP Peer Group.
String - > Case-Sensitive Password Of Up To 25 Characters. The String Can Contain Any Alphanumeric Characters, Including Spaces. You Cannot Specify A Password In The Format Number-Space-Anything. The Space After The Number Causes Problems.
The Following Example Specifies That The Router And Its BGP Peer At 145.2.2.2 Invoke MD5 Authentication On The TCP Connection Between Them:
Router BGP 109
Neighbor 145.2.2.2 Password V61Npre58Mkel33&
BGP Neighbors Will Be Authenticated Using An MD5 Key, This Key Must Match On A Per Neighbor Basis. If Authentication Fails, The BGP Neighbor Relationship Is Not Being Established.
USAGE GUIDELINES :
You Can Invoke Authentication Between Two BGP Peers, Causing Each Segment Sent On The TCP Connection Between Them To Be Verified. This Feature Must Be Configured With The Same Password On Both BGP Peers; Otherwise, The Connection Between Them Will Not Be Made. The Authentication Feature Uses The MD5 Algorithm. Specifying This Command Causes The Generation And Checking Of The MD5 Digest On Every Segment Sent On The TCP Connection.
Configuring A Password For A Neighbor Will Cause An Existing Session To Be Torn Down And A New One Established. If You Specify A BGP Peer Group By Using The Peer-Group-Name Argument, All The Members Of The Peer Group Will Inherit The Characteristic Configured With This Command
If A Router Has A Password Configured For A Neighbor, But The Neighbor Router Does Not, A Message Such As The Following Will Appear On The Console While The Routers Attempt To Establish A BGP Session Between Them:
%TCP-6-BADAUTH: No MD5 Digest From [Peer's IP Address]:11003 To [Local Router's IP Address]:179
Similarly, If The Two Routers Have Different Passwords Configured, A Message Such As The Following Will Appear On The Screen:
%TCP-6-BADAUTH: Invalid MD5 Digest From [Peer's IP Address]:11004 To [Local Router's IP Address]:179
CONFIGURATION BGP MD5 AUTHENTICATION:
NOTE:MD5 Authentication Must Be Configured With The Same Password On Both BGP Peers; Otherwise, The Connection Between Them Will Not Be Made. Configuring MD5 Authentication Causes The Cisco IOS Software To Generate And Check The MD5 Digest Of Every Segment Sent On The TCP Connection.
Router1 (AS 65500)< --------- > Router 2 (AS 65501)
Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With Cntl/Z.
Router1(Config)#Router Bgp 65500
Router1(Config-Router)#Neighbor 192.168.55.5 Remote-As 65501
Router1(Config-Router)#Neighbor 192.168.55.5 Password Password-1234p
Router1(Config-Router)#Exit
Router1(Config)#End
Router1#
The Same Password Must Be Configured On Both Routers:
Router2#Configure Terminal
Enter Configuration Commands, One Per Line. End With Cntl/Z.
Router2(Config)#Router Bgp 65501
Router2(Config-Router)#Neighbor 192.168.55.6 Remote-As 65500
Router2(Config-Router)#Neighbor 192.168.55.6 Password Password-1234p
Router2(Config-Router)#Exit
Router2(Config)#End
Router2#
DISCUSSION
MD5 Authentication Is A Standard Part Of BGP Version 4 That Was Introduced In RFC 2385. The Ietf Went Further In RFC 3013 (Which Is Also Called BCP 46) To Recommend That "BGP Authentication Should Be Used With Routing Peers" In The Public Internet. This Language "Should Be Used" Indicates A Strong Recommendation, But Not A Requirement.
You Must Explicitly Configure The Peer Relationships Between Routers. These Peers Then Use Point-To-Point TCP Connections To Exchange Information. So It Is Much More Difficult For A Malicious User To Surreptitiously Establish A Peer Relationship With One Of Your Routers And Corrupt Your Routing Tables.
But It Is Still Possible To Hijack An Existing TCP Connection Between Two BGP Peers And Inject Bad Routes. And If The Attackers Are On The Same Network Segment As One Of The Peers, They Can Potentially Hijack The IP Address Of The Legitimate Peer And Set Up A New BGP Session.
With Authentication, This Type Of Attack Is Considerably More Difficult. This Is Because The Attacker Must Not Only Get The TCP Sequence Numbers Right, But He Must Also Insert The Correct Encrypted Authentication Key.
It Is Worth Mentioning Also That Some Sources Have Claimed That This MD5 Authentication Scheme Is Not Sufficient For BGP Because There Are Effective Attacks That Can Break It.
The Internet Draft Document, "Security Requirements For Keys Used With The Tcp Md5 Signature Option," (Draft-Ietf-Idr-Md5-Keys-00.Txt), Comments On This Threat And Makes The Following Recommendations:
• Make Your Keys Between 12 And 24 Bytes Long.
• In Situations With Multiple BGP Peers, Avoid Using The Same Keys With All Peers.
• Change Your Keys At Least Every 90 Days.
Important To Note: That Introducing Authentication Can Cause Delays In BGP Message Passing, Although It Shouldn't Seriously Affect Normal Ip Packet Processing. It Can Also Cause Increased CPU Overhead On The BGP Peer Routers.
Despite All Of This, In A Hostile Network, Authentication Can Be Useful Because It Makes It Significantly Harder For Somebody To Disrupt Your Routing Tables. If Your ISP Supports This Service, It Is Probably A Good Idea To Use It.
It Is Also Worth Mentioning That In Your Router's Configuration File, The Password Will Be Stored In Plain Text Unless You Have Enabled The Service Password-Encryption Global Configuration Command.
When You Turn On Password Encryption, The Router Will Store The Command Using The Cisco Proprietary Type 7 Encryption:
Router Bgp 65500
Neighbor 192.168.55.5 Remote-As 65501
Neighbor 192.168.55.5 Password 7 15020a1f173d24362c7e64704053
!
NOTE:When There Is An Authentication Mismatch Between Two Bgp Peers, They Will Not Be Able To Establish A Connection. You Will Also See The Following Error Message On One Or Both Routers:
Jan 7 10:01:48 Est: %Tcp-6-Badauth: No MD5 Digest From 192.168.55.6:13662 To 192.168.55.5:179
CONCLUSION:
The Goal Of This Article Is To Give An Easy Way To Understand The “CISCO – BGP MD5 AUTHENTICATION.”Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts. Thank You And Best Of Luck.
This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.
DISCLAIMER:
This Document Carries No Explicit Or Implied Warranty. Nor Is There Any Guarantee That The Information Contained In This Document Is Accurate. Every Effort Has Been Made To Make All Articles As Complete And As Accurate As Possible.
It Is Offered In The Hopes Of Helping Others, But You Use It At Your Own Risk. The Author Will Not Be Liable For Any Special, Incidental, Consequential Or Indirect Any Damages Due To Loss Of Data Or Any Other Reason That Occur As A Result Of Using This Document. But No Warranty Or Fitness Is Implied. The Information Provided Is On An "As Is" Basic. All Use Is Completely At Your Own Risk.
The School Of Cisco Networking (SCN)
1 comment:
http://tools.ietf.org/html/rfc5925
Post a Comment