Authenticate BGP messages by using Message Digest 5 (MD5) signatures. After you enable BGP authentication, the BGP speaker verifies that the BGP messages it receives from its peers are actually from a peer and not from a third party masquerading as a peer.
BGPv4 TCP MD5 message authentication provides the following features:
A TCP MD5 signature can exist for BGP peers. You can configure authentication and secret keys for each peer. Peers configured with common secret keys can authenticate each other and exchange routing information.
The switch can concurrently have BGP peers with authentication enabled and other BGP peers with authentication disabled.
The switch always encrypts the secret keys.
After you enable BGPv4 TCP MD5 authentication, the router computes an MD5 signature for each TCP packet based on the TCP packet and an individual peer secret key. The router adds this MD5 signature to the TCP packet that contains a BGP message and sends it with the packet, but it does not send the secret key.
The receiver of the TCP packet is configured with the secret key and can verify the MD5 signature. A third party that tries to masquerade as the sender, however, cannot generate an authentic signature because it does not have the secret key.
In commands, the term password refers to the secret key. The secret keys provide security. If the keys are compromised, then the authentication itself is compromised. To prevent this, the switch stores the secret keys in encrypted form.
BGP peers calculate MD5 signatures in BGP messages based on the following elements:
TCP pseudo-header
TCP header, excluding options
TCP segment data
TCP MD5 authentication key
If TCP receives an MD5 authentication key, it reduces its maximum segment size by 18 octets, which is the length of the TCP MD5 option. TCP adds an MD5 signature to each transmitted packet. The peer inserts the resulting 16-byte MD5 signature into the following TCP options: kind=19, length=18.
After the switch receives a packet, it performs three tests. The following table lists the tests and the event message that TCP logs if a test fails.
|
Condition tested |
Action on success |
Failure event message |
|---|---|---|
|
Is the connection configured for MD5 authentication? |
Verify that the packet contains a kind=19 option. |
TCP MD5 No Signature |
|
Is MD5 authentication enabled for this TCP connection? |
TCP computes the expected MD5 signature. |
TCP MD5 Authentication Disabled |
|
Does the computed MD5 signature match the received MD5 signature? |
TCP sends the packet to BGP. |
TCP MD5 Invalid Signature |
If a packet passes a test, it proceeds to the next test. After a packet passes all three tests, TCP accepts the packet and sends it to BGP.
If a packet fails a test, the switch logs an event, increments the count of TCP connection errors (wfTcpConnMd5Errors), and discards the packet. The TCP connection remains open.