Configuring BGP Security
Configuring MD5 Authentication
BGP uses TCP as the transmission protocol, and considers a packet valid as long as the source address, destination address, source port, destination port, and TCP sequence number of the packet are correct. However, most parameters in a packet may be easily obtained by attackers. To protect BGP from attacks, MD5 authentication can be used between BGP peers to reduce the possibility of attacks. The MD5 algorithm is easy to configure, generates a single password that needs to be manually changed.
admin@XorPlus# set protocols bgp neighbor 192.10.10.2 password picos12345 admin@XorPlus# commit
Configuring TTL Security Hop Count
This feature enables BGP to establish connection with external peers residing on networks that are not directly connected. By enabling this feature, the received TTL from a BGP peer is compared with the difference "255 - hop-count". BGP messages coming with a TTL less than this value are not accepted. BGP peering will not be established if the TTL in the session establishment is received with a lower value. Also, by enabling this feature the router will send BGP packets with TTL value of 255 to the neighbor. For a neighbor, either TTL security or ebgp-multihop can be configured, not both together. If there are multiple paths to reach the node, then the hop count should be configured considering the longest route.
admin@XorPlus# set protocols bgp neighbor 192.10.10.2 ttl-security hops 200 admin@XorPlus# commit
Copyright © 2024 Pica8 Inc. All Rights Reserved.