Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring MD5 Authentication for BGP Sessions

    Contrail Release 2.20 implements MD5 authentication for BGP peering based on RFC 2385.

    The primary motivation for this option is to allow BGP to protect itself against the introduction of spoofed TCP segments into the connection stream. Both of the BGP peers must be configured with the same MD5 key. Once configured, each BGP peer adds a 16-byte MD5 digest to the TCP header of every segment that it sends. This digest is produced by applying the MD5 algorithm on various parts of the TCP segment. Upon receiving a signed segment, the receiver validates it by calculating its own digest from the same data (using its own key) and compares the two digests. For valid segments, the comparison is successful since both sides know the key.

    There are 3 ways to enable BGP MD5 authentication and set the keys on the contrail node.

    1. To configure MD5 authentication for a BGP peer using an environment dictionary:

      Before provisioning the node, include an environment dictionary (env dict) in the testbed.py file as shown. In this example, juniper is the md5 key that is configured on the host1 and host2 nodes.

      env.md5 = {
          host1: 'juniper',
          host2: ‘juniper’,
       }
      

      Specify the desired key value on the node. The key should only be of type string .

    2. Alternately, if the md5 key is not included in the testbed.py file and the node is already provisioned, you can run the following script with an argument for md5:
      contrail-controller/src/config/utils/provision_control.py
      
      root@<your_node>:/opt/contrail/utils# python provision_control.py --host_name <host_name> --host_ip <host_ip> --router_asn <asn> --api_server_ip <api_ip> --api_server_port <api_port> --oper add --md5 “juniper” --admin_user admin --admin_password <password> --admin_tenant_name admin
      
      
    3. Another alternative is to use the web user interface.

      1. Connect to the node’s IP address at port 8080 (<node_ip>:8080) and select Configure->Infrastructure->BGP Routers. As shown in Figure, a list of BGP peers is displayed.
      2. For a BGP peer, click on the gear icon on the right hand side of the peer entry. Then click Edit. This displays the Edit BGP Router dialog box.
      3. Scroll down the window and select Advanced Options.
      4. Configure the MD5 authentication by selecting Authentication Mode>MD5 and entering the Authentication Key value

    Modified: 2016-06-13