BGP incorporates the advanced security measures of TCP Authentication Option (TCP-AO) 7.4.2
|
This information is also available in the FortiOS 7.4 Administration Guide: |
Border Gateway Protocol (BGP) incorporates the advanced security measures of TCP Authentication Option (TCP-AO), which supports stronger algorithms, such as AES-128 CMAC and HMAC-SHA1. This integration bolsters the security of and enhances the reliability of BGP connections and contributes to the overall security of the internet.
CLI changes include:
-
Added
cmac-aes128option in the router key-chain:config router key-chain edit <name> config key edit <id> set algorithm cmac-aes128 next end next end -
Added
auth-optionsfor BGPneighborandneighbor-group:config router bgp config neighbor|neighbor-group edit <string> set auth-options <string> end next end -
Added debug command for
tcp-auth-options:diagnose sys tcp-auth-options
Example
In this example, the router BGP neighbor is configured to use the AES-128 CMAC algorithm.
To configure the router BGP to use the AES-128 CMAC algorithm:
-
Configure the router key-chain to use the AES-128 CMAC algorithm:
config router key-chain edit "11" config key edit "1" set accept-lifetime 01:01:01 01 01 2021 2147483646 set send-lifetime 01:01:01 01 01 2021 2147483646 set key-string ********** set algorithm cmac-aes128 next end next end -
Apply the key-chain to the BGP neighbor or neighbor group:
In this example, the key-chain is applied to the BGP neighbor with IP address 2.2.2.2.
config router bgp set as 65412 config neighbor edit "2.2.2.2" set auth-options "11" next end end -
Verify that the router BGP is using the algorithm.
The command output shows that BGP neighbor 2.2.2.2 is using the AES-128 CMAC algorithm.
# diagnose sys tcp-auth-options VFID=0 send-id=1 recv-id=1 flags=0x784 keylen=6 alg=2(aes128) addr=2.2.2.2 send-begin: Fri Jan 1 01:01:01 2021 send-end: Wed Jan 19 04:15:07 2089 recv-begin: Fri Jan 1 01:01:01 2021 recv-end: Wed Jan 19 04:15:07 2089