Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure TCP Authentication Option (TCP-AO)

SUMMARY Learn about TCP Authentication Option (TCP-AO) for BGP and LDP Sessions.

TCP Authentication Option (TCP-AO) for BGP and LDP Sessions

Benefits of TCP-AO

TCP-AO provides the following benefits over TCP MD5:

  • Stronger algorithms—Supports multiple stronger authentication algorithms such as HMAC-SHA-1-96 and AES-128-CMAC-96 (mandated by RFC5925, The TCP Authentication Option). HMAC-SHA-1-96 is a hash-based MAC and AES-128-CMAC-96 is a cipher-based MAC, thus making the message digest more complex and secure than the digest created by using the MD5 algorithm.

  • Two-Fold security—In the TCP-AO method, the configured Authentication algorithm is used in two stages: Once to generate an internal traffic key from a user-configured key and then to generate a message digest using the generated traffic key, whereas in the TCP MD5 method, the MD5 algorithm generates a message digest using its user-configured key.

  • Better Key Management and Agility—You can configure up to 64 keys for a session and you can add them at any time during the lifetime of a session. It provides a simple key coordination mechanism by giving the ability to change keys (move from one key to another) within the same connection without causing any TCP connection closure. Changing TCP MD5 keys during an established connection might cause a flap or restart in the connection.

  • Suitable for long-lived connections—More suitable for long-lived connections for routing protocols such as BGP and LDP and across repeated instances of a single connection.

What is TCP-AO?

The BGP and LDP protocols use TCP for transport. TCP-AO is a new authentication method proposed through RFC5925, The TCP Authentication Option to enhance the security and authenticity of TCP segments exchanged during BGP and LDP sessions. It also supports both IPv4 and IPv6 traffic.

TCP-AO provides a framework to:

  • Support multiple stronger algorithms, such as HMAC-SHA1 and AES-128 to create an internal traffic key and message digest.

  • Add a new user-configured key to re-generate internal traffic keys for an established connection and a mechanism to synchronize key change between BGP or LDP peers.

In earlier releases only the TCP MD5 authentication method was supported for BGP and LDP sessions. The MD5 method supports only the MD5 algorithm, which is less secure that TCP-AO. In addition changing a MD5 key normally result in TCP session disruption, unlike the TCP-AO option. TCP MD5 is defined in RFC2385, Protection of BGP Sessions via the TCP MD5 Signature Option.

Note:
  • While both the TCP-AO and TCP MD5 authentication methods are now supported, you cannot use both at the same time for a given connection.

  • TCP-AO supports Nonstop Active Routing.

  • To configure a keychain for TCP-AO (with one key), set the following statement at the [edit security] hierarchy level.

    user@router# set authentication-key-chains key-chain key-chain key id secret secretpassword start-time YYYY-MM-DD.HH:MM algorithm ao ao-attribute send-id send-id recv-id recv-id cryptographic-algorithm cryptographic-algorithm tcp-ao-option enabled

  • To apply TCP-AO to a BGP session (with the configured keychain), set the following statement at the [edit protocols] hierarchy level.

    user@router# set bgp group group neighbor neighbor authentication-algorithm ao

    user@router# set bgp group group neighbor neighbor authentication-key-chain key-chain

  • To apply TCP-AO to an LDP session (with the configured keychain), set the following statement at the [edit protocols] hierarchy level.

    user@router# set ldp session session authentication-algorithm ao

    user@router# set ldp session session authentication-key-chain key-chain

The following diagram explains the difference between TCP Authentication Option (TCP-AO) and TCP MD5 authentication. The first flow shows the configuration and processing flow for TCP-AO and the second flow shows the configuration and processing flow for TCP-MD5.

Figure 1: TCP-AO in comparison with TCP MD5TCP-AO in comparison with TCP MD5

Below is an explanation of the processing flows shown in Figure 1:

  • TCP-AO—The user has configured two keys in the keychain- key 0 and key 1 with all required parameters. The keychain supports two algorithms: HMAC SHA1 and AES-128 (mandated per RFC5925). TCP fetches key 0, which is the key that is currently active, as shown by the timestamp in the figure.. In the example, key 0 is configured with HMAC-SHA1.

    SHA1 takes the “secret” (from the key 0 configuration) and connection specific parameters for encryption and generates an internal traffic key.

    SHA1 again encrypts the internal traffic key and the TCP segment to generate the message digest. The digest is copied to the TCP-AO MAC field of the TCP-AO option in the TCP segment. The segment is then sent to the receiving device.

  • TCP-MD5—The user has configured a single key because TCP MD5 option supports only one key for a connection. Further, it only supports the MD5 algorithm. The MD5 algorithm takes the “secret” from the key and the TCP segment for encryption and generates a message digest. This message digest is then copied to MD5 digest field in the TCP segment and is sent to the receiving device.

Configure a Keychain (TCP-AO)

SUMMARY This example shows you how to create a TCP-AO keychain to authenticate a BGP or LDP session.

This example uses the following hardware and software components:

  • MX Series or PTX Series routers.

  • Junos OS Release 20.3R1 or later version.

This example shows you how to create a TCP-AO keychain to authenticate a BGP or LDP session.

In this example, you can create a keychain new_auth_key with 2 keys, key 0 and key 1 on devices R1 and R2.

  1. To create a keychain new_auth_key with the first key, (key 0):
    Note:

    Copy the following commands, paste them into a text file, remove any line breaks and change any details necessary to match your network configuration, copy and paste the commands into the CLI.

    R1

    R2 (with send-id and recv-id values reversed)

    Consider the following parameters while configuring a keychain:

    Parameter

    Description

    key-chain

    Enter a unique name.

    key

    Enter a unique key ID.

    secret

    Enter a unique password.

    start-time

    Enter a unique time in YYYY-MM-DD.HH:MM format to specify the start time of the key.

    algorithm

    Enter algorithm ao

    send-id and recv-id

    Enter any two numbers between 0 and 255. You must not use these numbers for any other key within that keychain.

    cryptographic-algorithm

    Choose either hmac-sha-1-96 or aes-128-cmac-96.

    tcp-ao-option

    Choose enabled to enable the TCP-AO option.

  2. To add another key (key 1), after creating key 0:

    R1

    R2 (with send-id and recv-id values reversed)

  3. Enter commit from configuration mode on both devices to activate your changes.
  4. To verify the keychain new_auth_key with the 2 keys configured, use the show security authentication-key-chains command from configuration mode.

    The following is sample output based on this example:

You have successfully created a keychain!

To delete a keychain, use the delete security authentication-key-chains key-chain key_chain name command from configuration mode.

Note:
  • You can associate only one TCP-AO keychain with a BGP or LDP session during its life-time. You cannot point another keychain to the session in its life-time.

  • We recommend a minimum interval of 30 minutes between the start-time of any two subsequent keys within a keychain.

  • Once a keychain is configured and in use by a TCP connection, you cannot change the send-id or recv-id values of its active key. However, you can change the other parameters in the key, and any new connection associated with the updated keychain will take the updated parameters for its connection establishment.

To display information about existing keychains (if any) from the operational mode, use the show security keychain command. Here’s a sample output:

Example: Authenticate BGP Session Using TCP Authentication Option (TCP-AO)

SUMMARY This example shows you how to authenticate a BGP session using a TCP Authentication Option (TCP-AO) keychain.

Requirements

This example uses the following hardware and software components:

  • MX Series or PTX Series routers.

  • Junos OS Release 20.3R1 or later version.

  • Configure a keychain new_auth_key. See .Configure a Keychain (TCP-AO)

Overview

BGP uses TCP as its transport protocol. TCP authentication option (TCP-AO) is a method you can use to authenticate BGP sessions. You can apply a TCP-AO keychain at the BGP neighbor or group levels of the configuration hierarchy.

Topology

Figure 2: Topology for BGP AuthenticationTopology for BGP Authentication

Configuration

In this example, you associate the TCP-AO authentication-key-chain new_auth_key and authentication algorithm ao on both devices to authenticate a BGP session.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

R1

R2

Associate TCP-AO to BGP to Authenticate a Session

Step-by-Step Procedure
  1. Enter configuration mode.

  2. Configure basic settings such as the interface IP address, interface description, a loopback address, router-ID, autonomous-system number on both devices.

    R1

    R2

  3. Configure an EBGP between R1 and R2.

    R1

    R2

  4. Associate the authentication-key-chain new_auth_key and the authentication-algorithm ao to the BGP session on both devices.

    R1

    R2

  5. Enter commit from configuration mode on both devices.

    Once you commit the configurations statements on both devices the BGP session should establish using the TCP-AO authentication method.

Results

Confirm your configurations by using the show interfaces, show routing-options, and show protocols commands from configuration mode.

user@R1# show interfaces

user@R1# show routing-options

user@R1# show protocols

Verification

Verify BGP Session Establishment
Purpose

Confirm BGP session establishment output after enabling TCP-AO.

Action

View a BGP summary of BGP session state with the show bgp summary operational mode command.

Meaning

The highlighted output values indicate that BGP has successfully established a session with the TCP-AO authentication method 1:19 minute ago.

Verify BGP BGP Session is Using TCP-AO
Purpose

Verify a BGP neighbor is authenticated with the TCP-AO keychain.

Action

Use the show bgp neighbor neighbor command to view configuration details for BGP peers. To filter only authentication-specific details in the output, use the pipe (|) function and match on authentication, as shown:

Meaning

The output indicates that authentication keychain new_auth_key and Authentication algorithm ao is applied to the BGP neighbor 192.0.2.2.

Example: Authenticate LDP Session Using TCP Authentication Option (TCP-AO)

SUMMARY This example shows you how to authenticate an LDP session using a TCP Authentication Option (TCP-AO) keychain.

Requirements

This example uses the following hardware and software components:

  • MX Series or PTX Series routers.

  • Junos OS Release 20.3R1 or later version.

  • Configure a keychain new_auth_key. See .Configure a Keychain (TCP-AO)

Overview

Label Distribution Protocol (LDP) is an MPLS signaling protocol. It allows routers to establish label-switched paths (LSPs) through a network. TCP-AO helps enhance the security of sessions created among LDP peers.

Topology

Figure 3: Topology for LDP ConfigurationTopology for LDP Configuration

Configuration

In this example you associate the TCP-AO authentication-key-chain new_auth_key and authentication algorithm ao to both devices to authenticate their LDP session.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

R1

R2

Associate TCP-AO to LDP to to Authenticate the TCP Session

Step-by-Step Procedure
  1. Enter configuration mode.

  2. Configure basic setup such as device interface, loopback, interface description, router ID, autonomous system number on R1 and R2.

    R1

    R2

  3. Configure MPLS and LDP on both devices.

    R1

    R2

  4. Configure an interior gateway protocol (IGP) (OSPF) to advertise loopback address reachability.

    R1

    R2

  5. Associate authentication-key-chain new_auth_key and authentication-algorithm ao with the label space ID of R1 and R2.

    R1

    R2

  6. Enter commit from the configuration mode on both devices.

Results

Confirm your configuration by using the show interfaces, show routing-options and show protocols commands.

user@R1# show interfaces

user@R1# show routing-options

user@R1# show protocols

Verification

Verify LDP Session

Purpose

Verify LDP session Establishment with TCP-AO.

Action

Use the show ldp session detail operational mode command to verify the LDP session has been correctly established.

Meaning

The output indicates that LDP session has been established.