FREE Cisco EVE-NG Labs – BGP MD5 Authentication
GET THIS LAB RIGHT NOW!!
Welcome to Network Engineer Pro. I’m Rafael, CCIE 64356.
I’m working on ton of content (videos, labs and more) to help you learn networking. If you want to stay up to date on what I’m working on and be the first to know then head to my website where you can sign up and get notified:
➤ https://www.networkengineerpro.com
You can also follow me on Facebook:
➤ https://www.facebook.com/NetworkEngineerPro
————————————————————————————————————–
00:00 Lab overview
01:16 Solution
You can configure MD5 authentication between two BGP peers, and that means each segment sent on the TCP connection between the peers is verified. MD5 authentication must be configured with the same password on both BGP peers; otherwise, the connection between them cannot be made. When you configure MD5 authentication it causes the Cisco IOS software to generate and check the MD5 digest of every segment sent on the TCP connection.
Summary of Border Gateway Protocol
The Border Gateway Protocol (BGP), which is defined in RFC 1163 and RFC 1267, is an Exterior Gateway Protocol (EGP) that is most often associated with the Internet and with Service Provider (SP) networks. Because many networks utilize static routing and a single connection for Internet access, BGP is unnecessary. However, as organizations increase their web presence and reliance on the Internet for revenue, the need for reliable and geographically diverse Internet connectivity has become more common. These needs are often met through multi-home configurations that require BGP for connectivity to an SP’s BGP-speaking routers. This emerging trend requires organizations to obtain a high level of BGP and BGP Security expertise that is typically found in SPs. This document is intended to assist enterprise administrators who are using or investigating the use of BGP as a routing protocol in their network.
Summary of BGP Threats
Administrators must understand many important aspects of BGP as a protocol to assess where it may be susceptible to various forms of attack and where it must be protected. First, unlike other routing protocols that typically provide their own transport layer (Layer 4) protocol, BGP relies on TCP as its transport protocol. BGP is susceptible to the same attacks that target any TCP-based protocol, and it must be protected similarly. Additionally, because BGP as an application is vulnerable to various threats, administrators must mitigate the risk and potential impact of associated exploit attempts. Some of these threats include the following:
BGP Route Manipulation– This scenario occurs when a malicious device alters the contents of the BGP routing table, which can, among other impacts, prevent traffic from reaching its intended destination without acknowledgement or notification.
BGP Route Hijacking– This scenario occurs when a rogue BGP peer maliciously announces a victim’s prefixes in an effort to reroute some or all traffic to itself for untoward purposes (for example, to view contents of traffic that the router would otherwise not be able to read).
BGP Denial of Service (DoS)– This scenario occurs when a malicious host sends unexpected or undesirable BGP traffic to a victim in an attempt to expend all available BGP or CPU resources, which results in a lack of resources for valid BGP traffic processing.
Finally, inadvertent mistakes (or non-malicious actions) among BGP peers can also have a disruptive impact on a router’s BGP process. Thus, security techniques should be applied to mitigate any impacts from these kinds of events as well.
This document will not cover all details of the BGP protocol itself, nor is it intended to detail the various forms of possible attacks against BGP or BGP processes; however, the References section of this document does provide additional resources on these topics. This paper will highlight several of the most important BGP security techniques that are used by SPs and show their applicability in non-SP environments. No single security measure can adequately protect BGP. Like any security approach, applying several mechanisms to provide a « defense-in-depth » approach is the best method to help secure this protocol.
One attack scenario described at the beginning of this document is the route information manipulation attack. BGP neighbor sessions are established between two peers and then routes are exchanged between each other. By enabling the MD5-based neighbor authentication mechanism, administrators can ensure that only authorized peers can establish this BGP neighbor relationship, and that the routing information exchanged between these two devices has not been altered en-route. The BGP neighbor authentication process is illustrated in the figure below.
Views : 76
network engineer
Source by Network Engineer Pro
