The (Unofficial) CCNP-SP Study Guide
  • About
    • About the Author
    • About This Study Guide
  • MPLS
    • LDP
      • LDP Transport Address
      • LDP Conditional Advertisement
      • LDP Authentication
      • LDP/IGP Sync
      • LDP Session Protection
    • MPLS-TE
      • MPLS-TE Basics, Pt. 1 (TED)
      • MPLS-TE Basics, Pt.2 (RSVP)
      • MPLS-TE Basics, Pt.3 (CSPF)
      • MPLS-TE Basics, Pt.4 (Routing)
      • MPLS-TE Fast Reroute (FRR)
      • MPLS-TE with OSPF
    • Unified MPLS
    • Segment Routing
      • Introduction, Theory Pt.1
      • Introduction, Lab (OSPF) Pt.2
      • Introduction, Lab (ISIS) Pt. 3
      • Multi-Area/Level Segment Routing
      • Segment Routing using BGP
      • Migrating LDP to SR
      • LDP/SR Interworking
      • TI-LFA Pt. 1 (Theory)
      • TI-LFA Pt. 2 (Implementation)
      • TI-LFA Pt. 3 (Node and SRLG Protection)
      • SR-TE Pt. 1 (Overview)
      • SR-TE Pt. 2 (Creating an SR-TE Policy)
      • SR-TE Pt. 3 (Using a PCE)
      • SR-TE Pt. 4 (Automated Steering)
      • SR-TE Pt. 5 (On-Demand Nexthop)
      • SR-TE Pt. 6 (Flex Algo)
    • MPLS OAM
      • Classic Traceroute Behavior in MPLS Networks
      • LSP Ping
      • LSP Traceroute
  • Routing
    • BGP
      • BGP Synchronization
      • BGP Load Sharing (Multipath)
      • An Intuitive Look at Path Attributes
      • AS Path Prepending on XE and XR
      • RPL
    • BGP Security
      • BGP TTL Security, Pt. 1
      • BGP TTL Security, Pt. 2 (IOS-XE)
      • BGP TTL Security, Pt. 3 (IOS-XR)
      • BGP MD5 Authentication
      • BGP Maximum Prefixes
      • BGP RFD (Route Flap Dampening)
      • RTBH
      • Flowspec
      • BGPsec
    • L3VPN
      • An In-Depth Look at RD and RT, Pt. 1
      • An In-Depth Look at RD and RT, Pt. 2
      • An In-Depth Look at RD and RT, Pt. 3
      • An In-Depth Look at RD and RT, Pt. 4
      • Inter-AS L3VPN Pt. 1, Overview
      • Inter-AS L3VPN Pt. 2, Option A
      • Inter-AS L3VPN Pt. 3, Option B
      • Inter-AS L3VPN Pt. 4, Option C
      • CSC (Carrier Supporting Carrier)
      • PE NAT
    • OSPF
      • Type 7 to Type 5 Translation
      • OSPF Authentication
      • Troubleshooting OSPF Adjacencies
      • OSPFv3 LSA Types
      • OSPFv3 LSAs Example (Single Area)
    • ISIS
      • The Potential for Asymmetric Routing with Multi-Area ISIS
      • Interarea Routing is Distance-Vector
      • Basic ISIS - LSPDB
      • Multitopology
      • What is the role of CLNS and CLNP in ISIS?
      • Troubleshooting ISIS Adjacencies
    • IPv6 Transition
      • Overview
      • NAT64
      • 6to4
      • 6RD (IPv6 Rapid Deployment)
      • DS Lite (Dual Stack Lite)
      • MAP (Mapping of Address and Port)
      • Tunneling IPv6 Dynamic Routing Protocols over IPv4
    • Multicast
      • Introduction
      • IP and MAC Addressing
      • Tree Formation and Packet Forwarding
      • IGMP
      • PIM-DM (Dense Mode)
      • PIM-SM (Sparse Mode)
      • PIM-SM SPT Switchover
      • PIM-SM Tunnel Interfaces
      • PIM DR and the Assert Message
      • PIM-SM RP Discovery
      • PIM-BiDir
      • PIM-SSM (Source-Specific Multicast)
      • Interdomain Multicast (PIM-SM)
      • IPv6 Multicast
      • mVPN Introduction
      • mVPN Profile 0
      • mVPN Profile 1
      • Multicast Routing on IOS-XR
  • L2VPN & Ethernet
    • IOS-XE Ethernet Services
      • Service Instances
      • E-Line
      • E-LAN (VPLS)
      • E-Tree
      • E-Access
      • VPLS with BGP Autodiscovery
      • Martini/Kompella Circuits
    • EVPN
      • Introduction to EVPN
      • Learning EVPN VXLAN First
      • E-Line (EVPN VPWS)
      • E-Line (EVPN VPWS) on IOS-XR
      • E-Line (EVPN VPWS) Multi-Homed
      • E-LAN (EVPN Single-Homed)
    • Carrier Ethernet
      • 802.1ah (MAC-in-MAC)
      • 802.3ah (Ethernet OAM)
      • 802.1ag (CFM)
      • Cisco REP (Resilient Ethernet Protocol)
      • ITU G.8032 ERPS (Ethernet Ring Protection Switching)
  • Security
    • CoPP (Control Plane Policing)
    • LPTS (Local Packet Transport Services)
  • Misc
    • QoS
      • QoS Introduction (Part 1)
      • QoS Tools Overview and QoS Models (Part 2)
      • QoS Classification and Marking (Part 3)
      • QoS Queuing/Congestion Management (Part 4)
      • QoS Shaping and Policing (Part 5)
      • QoS for IPv6
      • MPLS QoS Basics
      • MPLS QoS Modes
      • MPLS TE QoS (DS-TE)
      • MPLS TE CBTS/PBTS
    • Automation and Assurance
      • NSO
      • NSO Command Cheat Sheet
      • Intro to YANG/NETCONF
      • YANG In-Depth
      • NETCONF In-Depth
      • RESTCONF
      • Model-Driven Telemetry
      • Automation Tool Comparison
      • Netflow
      • SNMP
    • Virtualization
      • NFV (Network Function Virtualization)
      • OpenStack
    • Transport
      • xPON
      • SONET/SDH
      • WDM
      • 4G and 5G RAN
    • High Availability (HA)
      • NSF/GR
      • NSR
      • NSF/NSR Whitepapers
      • BFD
      • Link Aggregation on IOS-XE
      • Link Aggregation on IOS-XR
    • IOS Software Overview
  • Labs
    • Lab Challenges
      • How to Use These Labs
      • Basic LDP
      • Advanced LDP
      • BGP Security
      • Unified MPLS
      • BGP Fundamentals
      • Ethernet Services
      • L3VPN Extranet
      • Multicast
      • Inter-area OSPF
      • ISIS
      • MPLS-TE
      • Control Plane Policing
      • QoS
Powered by GitBook
On this page
  • Lab
  • Further Reading
  1. Routing
  2. BGP Security

BGP MD5 Authentication

PreviousBGP TTL Security, Pt. 3 (IOS-XR)NextBGP Maximum Prefixes

Last updated 2 years ago

BGP MD5 Authentication allows you to authenticate BGP peers using an MD5 signature, which is an option built into TCP. RFC 2385 defines this feature. The MD5 signature is added to the TCP header of every packet.

You can use this with both iBGP peers and eBGP peers. As a reminder, TTL Security is only configurable on eBGP sessions.

MD5 Authentication does not encrypt the BGP packets. The packets themselves are still in clear text. You can sniff the session and see BGP Updates, etc. What MD5 Authentication does though, is it allows the router to process only the TCP header and decide whether the packet came from its peer. If the MD5 Authentication is bad or is missing, the router discards the packet without processing the BGP information inside the packet.

An attacker cannot do things such as reset the TCP session remotely, because with a missing MD5 signature, or bad MD5 signature, the router will simply not process the TCP packet.

To re-iterate, the MD5 signature is not part of the BGP protocol. BGP takes advantage of the TCP option, in the same way that it relies on TCP for reliable connectivity, packet sequencing, etc. The MD5 signature is not seen in the BGP Open message for example. It is strictly a function of TCP.

So you might be wondering, if the packets are still in clear text, what prevents someone from sniffing the packets and copying the MD5 signature in one of the packets? The reason this doesn’t work is because the MD5 hash is applied to the TCP header (src/dst IP, segment length, etc), the TCP data, and the password. This prevents someone from just re-using the signature they sniffed in a single captured packet.

Lab

We’ll re-use our existing lab from the last article, and configure MD5 Authentication on the session between R4 and XR5.

First let’s see what log messages we see if the password does not match. Let’s configure only R4.

R4#
router bgp 65001
 neighbor 10.4.5.5 password s3cr3t

R4 lets us know that packets from XR5 are missing the MD5 hash.

*Jul 11 20:19:24.633: %TCP-6-BADAUTH: No MD5 digest from 10.4.5.5(62144) to 10.4.5.4(179) tableid - 0

Let’s configure XR5 now, but with the wrong password to see if the log message changes.

XR5#
router bgp 65002
 neighbor 10.4.5.4
  password s3cret

R4’s log message changes from “No MD5 digest” to “Invalid MD5 digest”

*Jul 11 20:20:46.610: %TCP-6-BADAUTH: Invalid MD5 digest from 10.4.5.5(62144) to 10.4.5.4(179) tableid - 0

If we correct the password on XR5, the session comes up

XR5#
router bgp 65002
 neighbor 10.4.5.4
  password s3cr3t

R4#
*Jul 11 20:21:47.834: %BGP-5-ADJCHANGE: neighbor 10.4.5.5 Up

Let’s take a look at the packets:

As you can see, the packets are in clear text. Otherwise, wireshark would not be able to know that the data contains an OPEN message and KEEPALIVE message.

The MD5 digest is a TCP option. If we look at another packet, such as the OPEN from R4, we can see that every single BGP TCP packet contains an MD5 signature.

Keep in mind that I still have ttl-security configured from the last session. So ttl-security and MD5 authentication can work together to secure the BGP session.

Further Reading

https://datatracker.ietf.org/doc/html/rfc2385
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/112188-configure-md5-bgp-00.html