THE SCHOOL OF CISCO NETWORKING (SCN): CISCO – BGP MD5 (MESSAGE DIGEST - 5) AUTHENTICATION BETWEEN BGP PEERS:
Contact No:   ### / ###/ ###
Welcome To The IT Knowledge Base Sharing Freeway "Study With The Zero Fees / Zero Money" Web - If We Believe, That If We Have Knowledge, Let Others Light Their Candles With It. - Our Motivation Has Brought Us Together To Offer Our Helping Hands To The Needy Ones Please. "Student Expectations And Satisfaction Is Always Our Highest Priority")
'Love All, Serve All, Help Ever Hurt Never'

Please Welcome To The "Zero Fees And Zero Money SCN Community Study Page"

We Like To Share Our Stuff With Everyone And Hope You Will Find Something Useful Here. Enjoy Our Collection And Come Back Again And Again, We'll Do Our Best To Make It Always Interesting For You. All Our Stuff Always Available May Be 100% Totally Freely. Use Only For Non-Commercial Purposes Only!

THE SCHOOL OF CISCO NETWORKING (SCN) Is A IT Support Community – Based, Non - Profit Volunteer Organizations, Offering Our Assistance And Support To Developmental Our Services Dedicated To All.

Because Large Section Of Our Students In This World, Especially In Villages, Who Are Under Privileged Expecting For Equal Opportunity In Terms Of Money And Education. We Feel The Sufferings Of Talented Students Losing Their Opportunity To Shine Because Of Their Poor Financial Status. So We Thought That Professional Education Will Be Providing Them Freely.

Our Web Site Is To Give An Easy Way To Understand Each And Every Student Who Are Going To Start CISCO Lab Practice Without Any Doubts And Our ARTICLES STUFF Are Always 100% Totally Free For Everyone, Which Is Belongings To THE SCHOOL OF CISCO NETWORKING (SCN).

Also This Guide Provides Technical Guidance Intended To Help All Network Students, Network Administrators And Security Officers Improve Of Their Demonstrated Ability To Achieve Specific objectives Within Set Timeframes.

Hands - On Experience Is An Invaluable Part Of Preparing For The Lab Exam And Never Pass Up An Opportunity To Configure Or Troubleshoot A Router ( If You Have Access To Lab Facilities, Take Full Advantage Of Them) There Is No Replacement For The Experience You Can Gain From Working In A Lab, Where You Can Configure Whatever You Want To Configure And Introduce Whatever Problems You Want To Introduce, Without Risk Of Disrupting A Production Network.

For Better View Of Our Web Page - Please Use Any Latest Web Browser, Such As (Mozilla Firefox, Google Chrome, Opera, Safari, Internet Explorer, Torch, Maxthon, Sea Monkey, Avant Browser, Deepnet Explorer, And Etc ), Because Some Elements Or Scripts Are Not Work In The Old Web Browser (It Might Not Be Displayed Properly Or Are Not Appearing properly!). Thank You For Your Time And Best Of Luck!

Your Sincerely – Premakumar Thevathasan.
"Our Motivation Has Brought Us Together To Offer Our Helping Hands To The Needy Once Please,Thank You."

CISCO – BGP MD5 (MESSAGE DIGEST - 5) AUTHENTICATION BETWEEN BGP PEERS:

INTRODUCTION :


This Document Describes How To Configure Message Digest5 (MD5) Authentication On A TCP Connection Between Two BGP Peers. RFC 2385 Talks About TCP Option 19 Which Is Basically Used For Authentication.

You Can Configure MD5 Authentication Between Two BGP Peers, Meaning That Each Segment Sent On The TCP Connection Between The Peers Is Verified.

WHAT IS BGP MD5 (MESSAGE DIGEST) AUTHENTICATION?


Cisco Internetworking Operating System Software (IOS) Can Employ MD5 Authentication To Protect Border Gateway Protocol (BGP) Connections. The TCP MD5 Option Is Available In Most BGP Implementations. Configuring MD5 Authentication Causes The Cisco IOS Software To Generate And Check The MD5 Digest Of Every Segment Sent On The TCP Connection. Since BGP Uses TCP As Its Transport Protocol.

The Idea Behind This Feature Is That To Every Packet In A TCP Session A Field Is Added With The MD5 Checksum Of The Packet Contents And A Secret Key.

MD5 Authentication Must Be Configured With The Same Password On Both BGP Peers And At The Same Time. For Authentication To Be Successful, Both The Peers Must Be Configured With The Same Password. If This Is Not Done, The Existing BGP Session Will Fail And A New Session Will Not Be Established Until The Same Secret Is Configured On Both Devices. Otherwise, The Connection Between Them Will Not Be Made.

Without Knowing The Key, It Is Near Impossible To Construct A Packet With A Valid Signature. Since BGP Speakers Will Immediately Discard Packets Without A Signature Or With An Invalid Signature, The Types Of Attacks Described Above Cannot Be Executed Without Knowing The Key.

NEIGHBOR MD5 (MESSAGE DIGEST) AUTHENTICATION PASSWORD :


To Enable MD5 Authentication On A TCP Connection Between Two BGP Peers, Use The Neighbor Password Command In Router Configuration Mode. To Disable This Function, Use The No Form Of This Command.

TO ENABLE MD5 (MESSAGE DIGEST) AUTHENTICATION (COMMAND UNDER THE BGP ROUTER CONFIGURATION MODE:


Neighbor {Ip-Address | Peer-Group-Name} Password String

TO REMOVE/DISABLE THE PASSWORD:


No Neighbor {Ip-Address | Peer-Group-Name} Password

SYNTAX DESCRIPTION


Ip-Address - > Ip-Address

Peer-Group-Name - > Name Of A BGP Peer Group.

String - > Case-Sensitive Password Of Up To 25 Characters. The String Can Contain Any Alphanumeric Characters, Including Spaces. You Cannot Specify A Password In The Format Number-Space-Anything. The Space After The Number Causes Problems.

The Following Example Specifies That The Router And Its BGP Peer At 145.2.2.2 Invoke MD5 Authentication On The TCP Connection Between Them:

Router BGP 109
Neighbor 145.2.2.2 Password V61Npre58Mkel33&

BGP Neighbors Will Be Authenticated Using An MD5 Key, This Key Must Match On A Per Neighbor Basis. If Authentication Fails, The BGP Neighbor Relationship Is Not Being Established.

USAGE GUIDELINES :


You Can Invoke Authentication Between Two BGP Peers, Causing Each Segment Sent On The TCP Connection Between Them To Be Verified. This Feature Must Be Configured With The Same Password On Both BGP Peers; Otherwise, The Connection Between Them Will Not Be Made. The Authentication Feature Uses The MD5 Algorithm. Specifying This Command Causes The Generation And Checking Of The MD5 Digest On Every Segment Sent On The TCP Connection.

Configuring A Password For A Neighbor Will Cause An Existing Session To Be Torn Down And A New One Established. If You Specify A BGP Peer Group By Using The Peer-Group-Name Argument, All The Members Of The Peer Group Will Inherit The Characteristic Configured With This Command

If A Router Has A Password Configured For A Neighbor, But The Neighbor Router Does Not, A Message Such As The Following Will Appear On The Console While The Routers Attempt To Establish A BGP Session Between Them:

%TCP-6-BADAUTH: No MD5 Digest From [Peer's IP Address]:11003 To [Local Router's IP Address]:179

Similarly, If The Two Routers Have Different Passwords Configured, A Message Such As The Following Will Appear On The Screen:

%TCP-6-BADAUTH: Invalid MD5 Digest From [Peer's IP Address]:11004 To [Local Router's IP Address]:179


BGP MD5 AUTHENTICATION EXAMPLE


CONFIGURATION BGP MD5 AUTHENTICATION:


NOTE:MD5 Authentication Must Be Configured With The Same Password On Both BGP Peers; Otherwise, The Connection Between Them Will Not Be Made. Configuring MD5 Authentication Causes The Cisco IOS Software To Generate And Check The MD5 Digest Of Every Segment Sent On The TCP Connection.

Router1 (AS 65500)< --------- > Router 2 (AS 65501)


Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With Cntl/Z.

Router1(Config)#Router Bgp 65500
Router1(Config-Router)#Neighbor 192.168.55.5 Remote-As 65501
Router1(Config-Router)#Neighbor 192.168.55.5 Password Password-1234p

Router1(Config-Router)#Exit
Router1(Config)#End
Router1#

The Same Password Must Be Configured On Both Routers:

Router2#Configure Terminal
Enter Configuration Commands, One Per Line. End With Cntl/Z.

Router2(Config)#Router Bgp 65501
Router2(Config-Router)#Neighbor 192.168.55.6 Remote-As 65500
Router2(Config-Router)#Neighbor 192.168.55.6 Password Password-1234p

Router2(Config-Router)#Exit
Router2(Config)#End
Router2#

DISCUSSION


MD5 Authentication Is A Standard Part Of BGP Version 4 That Was Introduced In RFC 2385. The Ietf Went Further In RFC 3013 (Which Is Also Called BCP 46) To Recommend That "BGP Authentication Should Be Used With Routing Peers" In The Public Internet. This Language "Should Be Used" Indicates A Strong Recommendation, But Not A Requirement.

You Must Explicitly Configure The Peer Relationships Between Routers. These Peers Then Use Point-To-Point TCP Connections To Exchange Information. So It Is Much More Difficult For A Malicious User To Surreptitiously Establish A Peer Relationship With One Of Your Routers And Corrupt Your Routing Tables.

But It Is Still Possible To Hijack An Existing TCP Connection Between Two BGP Peers And Inject Bad Routes. And If The Attackers Are On The Same Network Segment As One Of The Peers, They Can Potentially Hijack The IP Address Of The Legitimate Peer And Set Up A New BGP Session.

With Authentication, This Type Of Attack Is Considerably More Difficult. This Is Because The Attacker Must Not Only Get The TCP Sequence Numbers Right, But He Must Also Insert The Correct Encrypted Authentication Key.

It Is Worth Mentioning Also That Some Sources Have Claimed That This MD5 Authentication Scheme Is Not Sufficient For BGP Because There Are Effective Attacks That Can Break It.

The Internet Draft Document, "Security Requirements For Keys Used With The Tcp Md5 Signature Option," (Draft-Ietf-Idr-Md5-Keys-00.Txt), Comments On This Threat And Makes The Following Recommendations:

• Make Your Keys Between 12 And 24 Bytes Long.
• In Situations With Multiple BGP Peers, Avoid Using The Same Keys With All Peers.
• Change Your Keys At Least Every 90 Days.

Important To Note: That Introducing Authentication Can Cause Delays In BGP Message Passing, Although It Shouldn't Seriously Affect Normal Ip Packet Processing. It Can Also Cause Increased CPU Overhead On The BGP Peer Routers.

Despite All Of This, In A Hostile Network, Authentication Can Be Useful Because It Makes It Significantly Harder For Somebody To Disrupt Your Routing Tables. If Your ISP Supports This Service, It Is Probably A Good Idea To Use It.

It Is Also Worth Mentioning That In Your Router's Configuration File, The Password Will Be Stored In Plain Text Unless You Have Enabled The Service Password-Encryption Global Configuration Command.

When You Turn On Password Encryption, The Router Will Store The Command Using The Cisco Proprietary Type 7 Encryption:

Router Bgp 65500
Neighbor 192.168.55.5 Remote-As 65501
Neighbor 192.168.55.5 Password 7 15020a1f173d24362c7e64704053
!

NOTE:When There Is An Authentication Mismatch Between Two Bgp Peers, They Will Not Be Able To Establish A Connection. You Will Also See The Following Error Message On One Or Both Routers:

Jan 7 10:01:48 Est: %Tcp-6-Badauth: No MD5 Digest From 192.168.55.6:13662 To 192.168.55.5:179




CONCLUSION:


The Goal Of This Article Is To Give An Easy Way To Understand The “CISCO – BGP MD5 AUTHENTICATION.”Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts. Thank You And Best Of Luck.

This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.

DISCLAIMER:


This Document Carries No Explicit Or Implied Warranty. Nor Is There Any Guarantee That The Information Contained In This Document Is Accurate. Every Effort Has Been Made To Make All Articles As Complete And As Accurate As Possible.

It Is Offered In The Hopes Of Helping Others, But You Use It At Your Own Risk. The Author Will Not Be Liable For Any Special, Incidental, Consequential Or Indirect Any Damages Due To Loss Of Data Or Any Other Reason That Occur As A Result Of Using This Document. But No Warranty Or Fitness Is Implied. The Information Provided Is On An "As Is" Basic. All Use Is Completely At Your Own Risk.





The School Of Cisco Networking (SCN)
Date & Time: Labels:

1 comment:

Anonymous said...

http://tools.ietf.org/html/rfc5925

Thursday, January 5, 2012 at 10:50:00 PM PST

Post a Comment

Subscribe to: Post Comments (Atom)