Configuring Authentication for BGP
All BGP protocol exchanges can be authenticated to guarantee that only trusted routing devices participate in the AS’s routing. By default, authentication is disabled. You can configure MD5 authentication. The MD5 algorithm creates an encoded checksum that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet’s MD5 checksum.
To configure an MD5 authentication key, include the authentication-key statement:
For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.
If you configure authentication for all peers, each individual peer in that group inherits the group’s authentication.
The key (password) can be up to 126 characters long. Characters can include any ASCII strings. If you include spaces, enclose all characters in quotation marks (“ ”).
You can update MD5 authentication keys without resetting any BGP peering sessions. This is referred to as hitless authentication key rollover. Hitless authentication key rollover uses authentication keychains, which consist of the authentication keys that are being updated.
Hitless authentication key rollover also allows users to choose the algorithm through which authentication is established. The user associates a keychain and an authentication algorithm with a BGP neighboring session. The keychain includes multiple keys. Each key contains an identifier and a secret. The key is also configured with a unique start time and an end time.
The sending peer chooses the active key based on the system time. The receiving peer determines the key with which it authenticates based upon the incoming key identifier.
To configure the authentication key, include the key-chain statement at the [edit security authentication-key-chains] hierarchy level, and specify the key option to create a keychain consisting of several authentication keys.
You can configure multiple keys within the keychain.
Each key within a keychain must be identified by a unique integer value configured in the key statement. The range of valid identifier values is from 0 through 63. Each key must specify a secret. This secret can be entered in either encrypted or plain text format in the secret statement. It is always displayed in encrypted format.
Each key must specify a start time with the start-time statement. Start times are specified in the local time zone for a routing device and must be unique within the key chain.
For more information on configuring authentication keychains, see the Junos System Basics Configuration Guide.
To apply an authentication keychain, include the authentication-key-chain statement:
To specify the authentication algorithm type to use for keychains, include the authentication-algorithm statement:
You can choose md5, hmac-sha-1-96, or aes-128-cmac-96 as the type of algorithm.
 | Note: BGP authentication is not supported with promiscuous mode BGP sessions. If you include the allow statement, you cannot include authentication-key or authentication-key-chain at the same hierarchy level or any higher hierarchy level. When configuring authentication for all peers in a group, you cannot include the allow statement in the configuration because BGP keys require a destination address. |
For a list of hierarchy levels at which you can include the previous statements, see the statement summary for those statements.
