BGP TCP-AO Authentication

BGP Sessions can be authenticated using the TCP - Authentication Option (TCP - AO) as specified in RFC 5925 & RFC 5926. TCP - AO is compatible with a static Master Key Tuple (MKT) configuration. A TCP MKT needs to be configured independently and needs to be associated with a BGP peer. The MKT configuration will have the key ids (send / receive), a master key and optional configuration to include TCP options in digest calculation. The AO option uses the SHA-1 (96-bit digest) algorithm to calculate the digest. The MKT association can be changed on an authenticated session without disrupting the session. The new MKT association will be applied after negotiating the new key IDs with the peer and when both the peers are in sync.

The MKT configuration involves two steps:

Configuring TCP MKT
Associating the MKT with a peer

To configure a TCP - AO MKT, perform the following steps.

The following parameters are mandatory.

Send Key ID (abbreviated as key-id)
Receive Key ID
Master key
Algorithm

The following parameter is optional. By default, TCP options will be included in digest calculation.

TCP-option-exclude

The figure shown below depicts the topology setup used for this configuration.

Figure 1. Configuration and Testing BGP Local Preference Value

Execute the following commands to configure BGP peer group:

Perform the following:

Enter the Global Configuration Mode.

iS5comm# configure terminal

Configure the AS number in R1.

iS5comm(config)# as-num 100

Configure the router-id in R1.

iS5comm(config)# router-id 10.0.0.1

Enable BGP in R1.

iS5comm(config)# router bgp 100

Configure TCP - AO MKT without tcp-option-exclude.

iS5comm(config)# iS5comm(config-router)# tcp-ao mkt key-id 1 receive-key-id 2 algorithm hmac-sha-1 key abcdef

Configure R2 (with as-num 100) as internal peer in R1.

iS5comm(config-router)# neighbor 10.0.0.2 remote-as 100

Associating the above configured MKT to peer.

iS5comm(config-router)# neighbor 10.0.0.2 tcp-ao mkt 1

Configure R3 (with as-num 100) as internal peer in R1.

iS5comm(config-router)# neighbor fec0::1111:0:3 remote-as 100

Associating the above configured MKT to peer.

iS5comm(config-router)# neighbor fec0::1111:0:3 tcp-ao mkt 1

Enabling BGP in Router R2.

Perform the following:

Enter the Global Configuration Mode.

iS5comm# configure terminal

Configure the AS number in R2.

iS5comm(config)# as-num 100

Configure the router-id in R2.

iS5comm(config)# router-id 10.0.0.2

Enable BGP in R2.

iS5comm(config)# router bgp 100

Configure R1 (with as-num 100) as internal peer in R2

iS5comm(config-router)# neighbor 10.0.0.1 remote-as 100

Configure tcp-ao MKT without tcp-option-exclude

iS5comm(config-router)# tcp-ao mkt key-id 2 receive-key-id 1 algorithm hmac-sha-1 key abcdef

Associating the above configured MKT to peer.

iS5comm(config-router)# neighbor 10.0.0.1 tcp-ao mkt 2

Enabling BGP in Router R3.

Perform the following:

Enter the Global Configuration Mode.

iS5comm# configure terminal

Configure the AS number in R3.

iS5comm(config)# as-num 100

Configure the router-id in R3.

iS5comm(config)# router-id 10.0.0.3

Enable BGP in R3.

iS5comm(config)# router bgp 100

Configure R1 (with as-num 100) as internal peer in R3.

iS5comm(config-router)# neighbor fec0::1111:0:1 remote-as 100

Configure tcp-ao MKT without tcp-option-exclude

 iS5comm(config-router)# tcp-ao mkt key-id 2 receive-key-id 1 algorithm hmac-sha-1 key abcdef

Associating the above configured MKT to peer.

iS5comm(config-router)# neighbor fec0::1111:0:1 tcp-ao mkt 2

Verify that the BGP sessions between the peers R1, R2 and R1, R3 are established, using the following show commands in R1, R2 and R3.

Perform the following:

R1: View the bgp session information using ‘show ip bgp summary’, ‘show ip bgp neighbor’ and ‘show ip bgp info’ commands.

iS5comm# show ip bgp summary

Context Name : default

-------------

BGP router identifier is 12.0.0.1, local AS number 100

Forwarding State is enabled

BGP router identifier is 12.0.0.1, local AS number 100

BGP table version is 0

Neighbor   Version    AS    MsgRcvd  MsgSent   Up/Down    State/PfxRcd

---------  -------    --    -------  -------   -------    ------------

10.0.0.2     4      100       23      23    00:00:11:10  Established

fec0:1111::3     4      100        3       3    00:00:00:31  Established

iS5comm# show ip bgp neighbor

Context Name : BGP neighbor is 10.0.0.2, remote AS 100, internal link

 BGP version 4, remote router ID 12.0.0.2

Network Address: None

BGP state = Established, up for 2 seconds, tcp ao authenticated session

Configured BGP Maximum Prefix Limit 5000

AutomaticStart DISABLED

AutomaticStop DISABLED

DampPeer Oscillations DISABLED

DelayOpen DISABLED

Configured Connect Retry Count 5

Current Connect Retry Count 0

Default-originate : DISABLED

Peer Passive : DISABLED

Peer Status : NOT DAMPED

GateWay Address : NONE

Rcvd update before 0 secs, hold time is 90, keepalive interval is 30 secs

Neighbors Capability:

Route-Refresh: Advertised and received

Address family IPv4 Unicast: Advertised and received

Received 2 messages, 0 Updates

Sent 2 messages, 0 Updates

Route refresh: Received 0, sent 0.

Minimum time between advertisement runs is 5 seconds

Connections established 1 time(s)

Local host: 10.0.0.1, Local port: 49152

Foreign host: 10.0.0.2, Foreign port: 179

Last Error: Code 0, SubCode 0.

Update Source 10.0.0.1

Next-Hop is automatic

MultiHop Status - disabled

Send-Community is standard,extended

iS5comm# show bgp ipv6 neighbor

BGP neighbor is fec0:1111::3, remote AS 100, internal link

BGP version 4, remote router ID 12.0.0.3

Network Address: None

BGP state = Established, up for 4 minutes 40 seconds, tcp ao authenticated session

Configured BGP Maximum Prefix Limit 5000

AutomaticStart DISABLED

AutomaticStop DISABLED

DampPeer Oscillations DISABLED

DelayOpen DISABLED

Configured Connect Retry Count 5

Current Connect Retry Count 0

Default-originate : DISABLED

Peer Passive : DISABLED

Peer Status : NOT DAMPED

GateWay Address : NONE

Rcvd update before 0 secs, hold time is 90, keepalive interval is 30 secs

Neighbors Capability:

Route-Refresh: Advertised and received

Address family IPv4 Unicast: Advertised and received

Received 11 messages, 0 Updates

Sent 11 messages, 0 Updates

Route refresh: Received 0, sent 0.

Minimum time between advertisement runs is 5 seconds

Connections established 1 time(s)

Local host: fec0:1111::1, Local port: 49153

Foreign host: fec0:1111::3, Foreign port: 179

Last Error: Code 0, SubCode 0.

Update Source fec0:1111::1

Next-Hop is automatic

MultiHop Status - disabled

Send-Community is standard,extended

iS5comm# show ip bgp tcp-ao mkt summary

 TCP-AO MKT Table

----------------

Context Name : default

------------

ID(send)   Receive ID   Algorithm   MasterKey   OptionsExclude   Status

--------   ----------   ---------   ---------   --------------   ------

 1          2            HMAC-SHA-1  ********    1      Active

iS5comm# show bgp ipv6 tcp-ao neighbor

TCP-AO authentication neighbor summary

--------------------------------------

Context Name : default

------------

Neighbor            : fec0:1111::3

MKT Assigned         : 1

ICMP Processing      : Disabled

No MKT Discard       : Enabled

MKT In-use           : 1

iS5comm# show ip bgp info

Context Name : default

-------------

Routing Protocol is "bgp 100"

Bgp Trap : Enabled

The route change interval is "60"

IGP synchronization is disabled

Both more-specific and less-specificoverlap route policy is set

Administrative Distance is 122

Default IPv4 Unicast Capability Status is set

Local Preference is 100

Non-bgp routes are advertised to bothexternal and internal peers

MED Comparision is disabled

Metric is 0

Default Originate Disable

Redistributing:

 BGP GR admin status is disabled

Maximum paths: ibgp - 1 ebgp -  1 eibgp - 1

Maximum paths (Operational): ibgp - 1 ebgp -  1 eibgp - 1

Peer Table

Peer Address RemoteAS NextHop  MultiHop send-community

---- ------- -------- ------- -------- ------------

10.0.0.2     100     automatic disable  standard,extended

fec0:1111::3 100     automatic disable  standard,extended

R2: View the bgp session information using ‘show ip bgp summary’, ‘show ip bgp neighbor’ and ‘show ip bgp info’ commands.

iS5comm# show ip bgp summary

Context Name : default

-------------

BGP router identifier is 12.0.0.2, local AS number 100

Forwarding State is enabled

BGP table version is 0

Neighbor   Version    AS    MsgRcvd  MsgSent   Up/Down    State/PfxRcd

---------  -------    --    -------  -------   -------    ------------

10.0.0.1     4      100       11      11     00:00:4:57  Established

iS5comm# show ip bgp neighbor

BGP neighbor is 10.0.0.1, remote AS 100, internal link

BGP version 4, remote router ID 12.0.0.1

Network Address: None

BGP state = Established, up for 5 minutes 28 seconds, tcp ao authenticated session

Configured BGP Maximum Prefix Limit 5000

AutomaticStart DISABLED

AutomaticStop DISABLED

DampPeer Oscillations DISABLED

DelayOpen DISABLED

Configured Connect Retry Count 5

Current Connect Retry Count 0

Default-originate : DISABLED

Peer Passive : DISABLED

Peer Status : NOT DAMPED

GateWay Address : NONE

Rcvd update before 0 secs, hold time is 90, keepalive interval is 30 secs

Neighbors Capability:

 Route-Refresh: Advertised and received

 Address family IPv4 Unicast: Advertised and received

 Received 12 messages, 0 Updates

 Sent 12 messages, 0 Updates

Route refresh: Received 0, sent 0.

 Minimum time between advertisement runs is 5 seconds

 Connections established 1 time(s)

 Local host: 10.0.0.2, Local port: 179

Foreign host: 10.0.0.1, Foreign port: 49152

Last Error: Code 0, SubCode 0.

Update Source 10.0.0.2

 Next-Hop is automatic

 MultiHop Status - disabled

 Send-Community is standard,extended

iS5comm# show ip bgp info

Context Name : default

-------------

Routing Protocol is "bgp 100"

Bgp Trap : Enabled

The route change interval is "60"

IGP synchronization is disabled

Both more-specific and less-specificoverlap route policy is set

Administrative Distance is 122

Default IPv4 Unicast Capability Status is set

Local Preference is 100

Non-bgp routes are advertised to bothexternal and internal peers

MED Comparision is disabled

Metric is 0

Default Originate Disable

Redistributing:

BGP GR admin status is disabled

Maximum paths: ibgp - 1 ebgp -  1 eibgp - 1

Maximum paths (Operational): ibgp - 1 ebgp -  1 eibgp - 1

Peer Table

Peer Address RemoteAS NextHop  MultiHop send-community

---- ------- -------- ------- -------- ------------

10.0.0.1     100     automatic disable  standard,extended

R3: View the bgp session information using ‘show ip bgp summary’, ‘show ip bgp neighbor’ and ‘show ip bgp info’ commands.

iS5comm# show ip bgp summary

Context Name : default-------------

BGP router identifier is 12.0.0.3, local AS number 100

Forwarding State is enabled

BGP table version is 0

Neighbor   Version    AS    MsgRcvd  MsgSent   Up/Down    State/PfxRcd

---------  -------    --    -------  -------   -------    ------------

fec0:1111::1     4      100        8       8     00:00:3:23  Established

iS5comm# show ip bgp neighbor

BGP neighbor is fec0:1111::1, remote AS 100, internal link

BGP version 4, remote router ID 12.0.0.1

Network Address: None

BGP state = Established, up for 3 minutes 47 seconds, tcp ao authenticated session

Configured BGP Maximum Prefix Limit 5000

AutomaticStart DISABLED

AutomaticStop DISABLED

DampPeer Oscillations DISABLED

DelayOpen DISABLED

Configured Connect Retry Count 5

Current Connect Retry Count 0

Default-originate : DISABLED

Peer Passive : DISABLED

Peer Status : NOT DAMPED

GateWay Address : NONE

Rcvd update before 0 secs, hold time is 90, keepalive interval is 30 secs

Neighbors Capability:

 Route-Refresh: Advertised and received

 Address family IPv4 Unicast: Advertised and received

 Received 9 messages, 0 Updates

 Sent 9 messages, 0 Updates

Route refresh: Received 0, sent 0.

 Minimum time between advertisement runs is 5 seconds

 Connections established 1 time(s)

 Local host: fec0:1111::3, Local port: 179

Foreign host: fec0:1111::1, Foreign port: 49152

Last Error: Code 0, SubCode 0.

Update Source fec0:1111::3

 Next-Hop is automatic

 MultiHop Status - disabled

 Send-Community is standard,extended

iS5comm# show ip bgp info

Context Name : default

-------------

Routing Protocol is "bgp 100"

Bgp Trap : Enabled

The route change interval is "60"

IGP synchronization is disabled

Both more-specific and less-specificoverlap route policy is set

Administrative Distance is 122

Default IPv4 Unicast Capability Status is set

Local Preference is 100

Non-bgp routes are advertised to bothexternal and internal peers

MED Comparision is disabled

Metric is 0

Default Originate Disable

Redistributing:

BGP GR admin status is disabled

Maximum paths: ibgp - 1 ebgp -  1 eibgp - 1

Maximum paths (Operational): ibgp - 1 ebgp -  1 eibgp - 1

Peer Table

Peer Address RemoteAS NextHop  MultiHop send-community

---- ------- -------- ------- -------- ------------

fec0:1111::1 100     automatic disable  standard,extended