Technical Documentation

Example: Configuring the BGP and IS-IS Routing Protocols

The main task of a router is to use its routing and forwarding tables to forward user traffic to its intended destination. Attackers can send forged routing protocol packets to a router with the intent of changing or corrupting the contents of its routing table or other databases, which in turn can degrade the functionality of the router and the network. To prevent such attacks, routers must ensure that they form routing protocol relationships (peering or neighboring relationships) to trusted peers. One way of doing this is by authenticating routing protocol messages. We strongly recommend using authentication when configuring routing protocols. The JUNOS Software supports HMAC-MD5 authentication for BGP, Intermediate System-to-Intermediate System (IS-IS), Open Shortest Path First (OSPF), Routing Information Protocol (RIP), and Resource Reservation Protocol (RSVP). HMAC-MD5 uses a secret key that is combined with the data being transmitted to compute a hash. The computed hash is transmitted along with the data. The receiver uses the matching key to recompute and validate the message hash. If an attacker has forged or modified the message, the hash will not match and the data will be discarded.

In the following examples, we configure BGP as the exterior gateway protocol (EGP) and IS-IS as the interior gateway protocol (IGP). If you use OSPF, configure it similarly to the IS-IS configuration shown.

Configuring BGP

The following example shows the configuration of a single authentication key for the BGP peer group internal peers. You can also configure BGP authentication at the neighbor or routing instance levels, or for all BGP sessions. As with any security configuration, there is a trade-off between the degree of granularity (and to some extent the degree of security) and the amount of management necessary to maintain the system. This example also configures a number of tracing options for routing protocol events and errors, which can be good indicators of attacks against routing protocols. These events include protocol authentication failures, which might point to an attacker that is sending spoofed or otherwise malformed routing packets to the router in an attempt to elicit a particular behavior.

[edit]protocols {bgp {group ibgp {type internal;traceoptions {file bgp-trace size 1m files 10;flag state;flag general;}local-address 10.10.5.1;log-updown;neighbor 10.2.1.1;authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii";}group ebgp {type external;traceoptions {file ebgp-trace size 10m files 10;flag state;flag general;}local-address 10.10.5.1;log-updown;peer-as 2;neighbor 10.2.1.2;authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii";}}}

Configuring IS-IS

Although all IGPs supported by the JUNOS Software support authentication, some are inherently more secure than others. Most service providers use OSPF or IS-IS to allow fast internal convergence and scalability and to use traffic engineering capabilities with Multiprotocol Label Switching (MPLS). Because IS-IS does not operate at the network layer, it is more difficult to spoof than OSPF, which is encapsulated in IP and is therefore subject to remote spoofing and DoS attacks.

The following example also shows how to configure a number of tracing options for routing protocol events and errors, which can be good indicators of attacks against routing protocols. These events include protocol authentication failures, which might point to an attacker that is sending spoofed or otherwise malformed routing packets to the router in an attempt to elicit a particular behavior.

[edit]protocols {isis {authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; # SECRET-DATAauthentication-type md5;traceoptions {file isis-trace size 10m files 10;flag normal;flag error;}interface at-0/0/0.131 {lsp-interval 50;level 2 disable;level 1 {metric 3;hello-interval 5;hold-time 60;}}interface lo0.0 {passive;}}}

Published: 2010-04-26