All BGP protocol exchanges can be authenticated to guarantee that only trusted routers participate in the AS’s routing. By default, authentication is disabled on the router. You can configure MD5 authentication on the router. The MD5 algorithm creates an encoded checksum that is included in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet’s MD5 checksum.
To configure an MD5 authentication key, include the authentication-key statement:
-
authentication-key key;
For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.
If you configure authentication for all peers, each individual peer in that group inherits the group’s authentication.
The key (password) can be up to 126 characters long. Characters can include any ASCII strings. If you include spaces, enclose all characters in quotation marks (double quotes).
You can update MD5 authentication keys without resetting any BGP peering sessions. This is referred to as hitless authentication key rollover. Hitless authentication key rollover uses authentication key chains, which consist of the authentication keys that are being updated.
Hitless authentication key rollover also allows users to choose the algorithm through which authentication is established. The user associates a key chain and an authentication algorithm with a BGP neighboring session. The key chain includes multiple keys. Each key contains an identifier and a secret. The key is also configured with a unique start time and an end time.
The sending peer chooses the active key based on the system time. The receiving peer determines the key with which it authenticates based upon the incoming key identifier.
To configure the authentication key, include the key-chain statement at the [edit security authentication-key-chains] hierarchy level, and specify the key option to create a key chain consisting of several authentication keys.
- [edit security]
-
authentication-key-chains {
-
- key-chain key-chain-name {
-
- key key {
- secret secret-data;
- start-time yyyy-mm-dd.hh:mm:ss;
- }
- }
- }
You can configure multiple keys within the key chain.
Each key within a key chain must be identified by a unique integer value configured in the key statement. The range of valid identifier values is from 0 through 63. Each key must specify a secret. This secret can be entered in either encrypted or plain text format in the secret statement. It is always displayed in encrypted format.
Each key must specify a start time with the start-time statement. Start times are specified in the local time zone for a router and must be unique within the key chain.
For more information on configuring authentication key chains, see the JUNOS System Basics Configuration Guide.
To apply an authentication key chain to the router, include the authentication-key-chain statement:
-
authentication-key-chain key-chain;
To specify the authentication algorithm type to use for key chains, include the authentication-algorithm statement:
-
authentication-algorithm algorithm;
You can choose either md5 or hmac-sha-1-96 as the type of algorithm.
 |
Note: BGP authentication is not supported with promiscuous mode BGP sessions. If you include the allow statement, you cannot include authentication-key or authentication-key-chain at the same hierarchy level or any higher hierarchy level. When configuring authentication for all peers in a group, you cannot include the allow statement in the configuration because BGP keys require a destination address. |
For a list of hierarchy levels at which you can include the previous statements, see the statement summary for those statements.
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |