BGP MD5 Authentication
The Border Gateway Protocol (BGP) is an exterior gateway protocol designed to exchange
routing and reachability information among autonomous systems on the internet. BGP works
well in practice, and its simplicity and resilience enable it to play a fundamental role
within the global internet. However, BGP inherently provides few performance or security
protections. The following table provides a list of some of the threats against
BGP.
Note
BGP depends on TCP as its transport protocol. Therefore, it is vulnerable to the same security attacks as any TCP-based protocol.| Threats against BGP | Description |
|---|---|
| Denial of Service (DoS) | A malicious host sends unexpected or unwanted BGP traffic to a neighbor in an attempt to saturate control plane resources, which results in not having enough resources to process legitimate BGP traffic on the neighbor. |
| Route Manipulation | A malicious host modifies the contents of a BGP routing table, diverting traffic, and preventing it, without the sender‘s knowledge, from reaching its intended destination. |
| Route Hijacking | A rogue BGP neighbor maliciously advertises a victim‘s networks to redirect some or all of victim‘s traffic to itself. |
| Misconfiguration (non-malicious) | An unintentionally misconfigured BGP router could affect the Internet‘s BGP routing table, possibly leading to network outages and, worse, unauthorized access to the network traffic. |
BGP authentication enables the routers to share information only if they can verify that
they are communicating to a trusted source, based on a password. Successful
authentication between BGP neighbors proves that the neighbors are legitimate and
trusted, verifies communications between those neighbors, and ensures that only routes
learned from legitimate neighbors are added to the routing table. Authentication must be
enabled on both sides of the peering session and the same password must be used on both
peers.
Note
For BGP MD5 passwords, the ASCII characters 0-32 are not supported. In addition, special handling is required for MD5 passwords that contain certain special characters.Examples
| MD5 password provided through CLI | Actual MD5 password |
| '~`!@#$%^&*()_-+={[}]|\"<>"/"'"' | ~`!@#$%^&*()_-+={[}]|\"<>"/' |
| 'a"'"a" | a"a |
| 'a""'"a" | a"""a" |
| 'a"'"""a'" | a"a' |