Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Interface-Scoped TCP Authentication

Understanding Interface-Scoped Authentication for BGP Unnumbered Peers

When you deploy BGP unnumbered peering, routers automatically discover neighbors using IPv6 Neighbor Discovery Protocol (NDP) and establish sessions over IPv6 link-local addresses. You can enable interface-scoped TCP authentication (MD5, TCP-AO, Keychain authentication) for these dynamically discovered peers by associating authentication keys directly with the logical interfaces, regardless of the peer's IP address.

Routers establish BGP sessions using IPv6 link-local addresses through BGP unnumbered peering, which eliminates the need to assign unique IP addresses to each point-to-point interface. This approach simplifies network configuration but creates challenges for traditional TCP authentication mechanism that rely on knowing the peers’ IP address or IP prefix in advance. The interface-scoped authentication approach associates the authentication key directly with a logical interface. This configuration ensures that the BGP session initiated over a configured interface uses the authentication key assigned to that interface regardless of the peer’s IP address.

You can configure authentication for BGP unnumbered peers under the [edit protocols bgp group group-name dynamic-neighbor dyn-name] hierarchy,

  • authentication-algorithm: Specifies the authentication algorithm to be used. The supported algorithms are aes-128-cmac-96, ao, hmac-sha-1-96, and md5.
  • authentication-key: Defines the TCP-MD5 authentication key.
  • authentication-key-chain: Specifies the authentication key-chain used for TCP-AO or TCP Keychain authentication.
    Note: When an authentication algorithm is specified, it must be configured with a key-chain and cannot be used with key.

We also support nonstop active routing (NSR) implementing BGP unnumbered peer sessions using interface-scoped authentication. NSR ensures that BGP sessions remain uninterrupted during control-plane failovers by preserving protocol state across the Routing Engine switchover. When combined with interface-scoped authentication, NSR allows BGP sessions establish over unnumbered interfaces to maintain their authenticated state even during system transitions. This is particularly valuable in high-availability environments where maintaining secure and persistent routing sessions is critical.

Benefits of BGP Unnumbered Peering

  • Establishes a secure BGP peering on enabling authentication for a BGP unnumbered session.

Limitations

  • Changing the TCP MD5 key for an established BGP session might flap or restart the session.

  • This functionality is limited to single-hop connectivity in symmetric routing scenarios.

How to Configure Interface-Scoped TCP Authentication for BGP Unnumbered Peers

To enable the BGP unnumbered sessions with interface-scoped TCP authentication, configure the following options under the [edit protocols bgp group name dynamic-neighbor name] hierarchy.

Action

Consider the following configuration scenarios for BGP authentication.

Use case 1: BGP Unnumbered session authenticated with Interface-scoped TCP-MD5 under default routing instance

Use the following configuration snippet to configure interface-scoped MD5 authentication for BGP unnumbered session using IPv6 link-local address for et-0/0/1.0 interface under the default routing instance.

Use case 2: BGP Unnumbered session with Interface-scoped TCP-MD5 authentication and interface-range configuration under default routing instance (Junos EVO only)

Use the following configuration snippet to configure interface-scoped MD5 authentication for BGP unnumbered session using interface-range configuration under default routing instance.

Use case 3: BGP Unnumbered sessions authenticated with Interface-scoped TCP-MD5 under non-default routing instance

Use the following configuration snippet to configure interface-scoped MD5 authentication with BGP unnumbered session under non-default routing instance.

Use case 4: BGP Unnumbered sessions authenticated with Interface-scoped TCP-AO authentication

Use the following configuration snippet to configure interface-scoped TCP-AO authentication for BGP unnumbered session under default routing instance.

Use case 5: BGP Unnumbered sessions authenticated with Interface-scoped Keychain authentication under default routing instance

Use the following configuration snippet to configure interface-scoped TCP-Keychain authentication for BGP unnumbered session under default routing instance.

Validate

Use the show bgp neighbor command to verify interface-scoped authentication for BGP Unnumbered peers.

Output

In this example output, you see the verified interface-scoped authentication key-chain and algorithm for the two BGP peers.