Enabling MD5 Authentication on a TCP Connection

You can use the neighbor password command to enable MD5 authentication on a TCP connection between two BGP peers. Enabling MD5 authentication causes each segment sent on the TCP connection between them to be verified.

You must configure MD5 authentication with the same password on both BGP peers; otherwise, the router does not make the connection between the BGP peers.

The MD5 authentication feature uses the MD5 algorithm. When you specify this command, the router generates and checks the MD5 digest on every segment sent on the TCP connection.

In the following example, the password is set to “ opensesame” :

The show ip bgp neighbors command does not reveal the password, but does indicate whether MD5 authentication is configured for the session. The output of the show configuration command varies as follows:

• If you use the 8 keyword to specify that the password is encrypted, then the output of the show configuration command displays the text that you entered (the ciphertext password).
• If you do not use the 8 keyword (that is, you use the 0 keyword or no encryption keyword), and if the service password-encryption command has not been issued, then the output of the show configuration command displays the text that you entered (the plaintext password).
• If you do not use the 8 keyword (that is, you use the 0 keyword or no encryption keyword) but the service password-encryption command has been issued, then the output of the show configuration command displays an encrypted password that is equivalent to the cleartext password that you entered.

neighbor password

• Use to enable MD5 authentication on a TCP connection between two BGP peers.
• If you configure a password for a neighbor, an existing session is torn down and a new one established.
• If you specify a BGP peer group by using the peerGroupName argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer.
• If a router has a password configured for a neighbor, but the neighbor router does not, a message indicating this condition appears on the console while the routers attempt to establish a BGP session between them.
• Similarly, if the two routers have different passwords configured, a message appears on the console indicating that this condition exists.
• Use the 8 keyword to indicate that the password is encrypted (entered in ciphertext). Use the 0 keyword to indicate that the password is unencrypted (entered in plaintext).
• This command takes effect immediately and automatically bounces the BGP session.
• Use the no version to disable MD5 authentication.
• See neighbor password

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.