BGP MD5 Authentication
The Border Gateway Protocol (BGP) is an exterior gateway protocol designed to exchange routing and reachability information among autonomous systems on the internet. BGP works well in practice, and its simplicity and resilience enable it to play a fundamental role within the global internet. However, BGP inherently provides few performance or security protections. The following table provides a list of some of the threats against BGP.
NoteBGP depends on TCP as its transport protocol. Therefore, it is vulnerable to the same security attacks as any TCP-based protocol.
|Threats against BGP||Description|
|Denial of Service (DoS)||A malicious host sends unexpected or unwanted BGP traffic to a neighbor in an attempt to saturate control plane resources, which results in not having enough resources to process legitimate BGP traffic on the neighbor.|
|Route Manipulation||A malicious host modifies the contents of a BGP routing table, diverting traffic, and preventing it, without the sender‘s knowledge, from reaching its intended destination.|
|Route Hijacking||A rogue BGP neighbor maliciously advertises a victim‘s networks to redirect some or all of victim‘s traffic to itself.|
|Misconfiguration (non-malicious)||An unintentionally misconfigured BGP router could affect the Internet‘s BGP routing table, possibly leading to network outages and, worse, unauthorized access to the network traffic.|
BGP authentication enables the routers to share information only if they can verify that they are communicating to a trusted source, based on a password. Successful authentication between BGP neighbors proves that the neighbors are legitimate and trusted, verifies communications between those neighbors, and ensures that only routes learned from legitimate neighbors are added to the routing table. Authentication must be enabled on both sides of the peering session and the same password must be used on both peers.
NoteFor BGP MD5 passwords, the ASCII characters 0-32 are not supported. In addition, special handling is required for MD5 passwords that contain certain special characters.
|MD5 password provided through CLI||Actual MD5 password|