BGP neighbor authentication: some minutiae
Thumbnail: logo

BGP neighbor authentication: some minutiae


Authenticating two BGP neighbors is usually done with a shared password:

router bgp 1
 remote-as 2
 password clear TEST

IOS-XR (and also regular IOS) will ingest the clear text configuration password, perform some additional magic, and pass the resulting MD5 hash to the neighbor But what a router is really doing underneath, is to enforce RFC 2385, by using TCP MD5 option during the three-way handshake.

Skjermbilde 2016-01-26 kl. 12.50.32

The main goal is not just to authenticate the peer node, but also to secure the TCP connection itself by preventing any spoofing, especially RST packet, which may cause a connection reset. The resulting hash is not just derived from the shared password configured on the two BGP speakers, but also from:

  1. the TCP pseudo-header (source IP address, destination IP address, zero-padded protocol number, and segment length)

  2. the TCP header

  3. the TCP segment data

  4. the password itself

Considering  the hash of 18 bytes, plus an End of Options byte, a larger MTU might be taken into account, as the MSS will have additional 19 bytes.

© 2013-2019 Matteo Malvica. Illustrations by Sergio Kalisiak.