TCP Authentication Option advanced security measures
BGP incorporates TCP Authentication Option (TCP-AO) advanced security measures, which supports stronger algorithms, such as AES-128 CMAC and HMAC-SHA1. This integration bolsters the security of and enhances the reliability of BGP connections and contributes to the overall security of the internet.
To set the algorithm to AES-128 CMAC:
config router key-chain
edit <name>
config key
edit <id>
set algorithm cmac-aes128
next
end
next
end
To select the key-chain with the TCP-AO in a neighbor or neighbor group:
config router bgp
config {neighbor | neighbor-group}
edit <ip>
set auth-options <key-chain>
end
next
end
To debug the TCP authentication options:
diagnose sys tcp-auth-options
Example
In this example, the router BGP neighbor is configured to use the AES-128 CMAC algorithm.
To configure the router BGP to use the AES-128 CMAC algorithm:
-
Configure the router key-chain to use the AES-128 CMAC algorithm:
config router key-chain edit "11" config key edit "1" set accept-lifetime 01:01:01 01 01 2021 2147483646 set send-lifetime 01:01:01 01 01 2021 2147483646 set key-string ********** set algorithm cmac-aes128 next end next end -
Apply the key-chain to the BGP neighbor or neighbor group:
The key-chain is applied to the BGP neighbor with IP address 2.2.2.2.
config router bgp set as 65412 config neighbor edit "2.2.2.2" set auth-options "11" next end end -
Verify that the router BGP is using the algorithm.
The command output shows that BGP neighbor 2.2.2.2 is using the AES-128 CMAC algorithm.
# diagnose sys tcp-auth-options VFID=0 send-id=1 recv-id=1 flags=0x784 keylen=6 alg=2(aes128) addr=2.2.2.2 send-begin: Fri Jan 1 01:01:01 2021 send-end: Wed Jan 19 04:15:07 2089 recv-begin: Fri Jan 1 01:01:01 2021 recv-end: Wed Jan 19 04:15:07 2089