Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

TCP Authentication Option (TCP-AO)

SUMMARY Learn about TCP Authentication Option (TCP-AO) for BGP and LDP sessions.

TCP-AO for BGP and LDP Sessions

The BGP and LDP protocols use TCP for transport. TCP-AO is a new authentication method proposed through RFC5925, The TCP Authentication Option to enhance the security and authenticity of TCP segments exchanged during BGP and LDP sessions. It also supports both IPv4 and IPv6 traffic.

Benefits of TCP-AO

TCP-AO provides the following benefits over TCP MD5:

  • Stronger algorithms—Supports multiple stronger authentication algorithms such as HMAC-SHA-1-96 and AES-128-CMAC-96 (mandated by RFC5925, The TCP Authentication Option). HMAC-SHA-1-96 is a hash-based MAC and AES-128-CMAC-96 is a cipher-based MAC, thus making the message digest more complex and secure than the digest created by using the MD5 algorithm.

  • Two-Fold security—In the TCP-AO method, the configured Authentication algorithm is used in two stages: Once to generate an internal traffic key from a user-configured key and then to generate a message digest using the generated traffic key, whereas in the TCP MD5 method, the MD5 algorithm generates a message digest using its user-configured key.

  • Better Key Management and Agility—You can configure up to 64 keys for a session and you can add them at any time during the lifetime of a session. It provides a simple key coordination mechanism by giving the ability to change keys (move from one key to another) within the same connection without causing any TCP connection closure. Changing TCP MD5 keys during an established connection might cause a flap or restart in the connection.

  • Suitable for long-lived connections—More suitable for long-lived connections for routing protocols such as BGP and LDP and across repeated instances of a single connection.

What is TCP-AO?

TCP-AO provides a framework to:

  • Support multiple stronger algorithms, such as HMAC-SHA1 and AES-128 to create an internal traffic key and message digest.

  • Add a new user-configured key to re-generate internal traffic keys for an established connection and a mechanism to synchronize key change between BGP or LDP peers.

In earlier releases, Junos devices only supported the TCP MD5 authentication method for BGP and LDP sessions. The MD5 method supports only the MD5 algorithm, which is less secure than TCP-AO. In addition, changing a MD5 key normally disrupts the TCP session, unlike TCP-AO. TCP MD5 is defined in RFC2385, Protection of BGP Sessions via the TCP MD5 Signature Option. For more information about TCP MD5, see TCP.

Note:
  • While Junos devices support both the TCP-AO and TCP MD5 authentication methods, you cannot use both at the same time for a given connection.

  • TCP-AO supports Nonstop Active Routing.

The following diagram explains the difference between TCP-AO and TCP MD5 authentication. The first flow shows the configuration and processing flow for TCP-AO and the second flow shows the configuration and processing flow for TCP-MD5.

Figure 1: TCP-AO in comparison with TCP MD5TCP-AO in comparison with TCP MD5

Below is an explanation of the processing flows shown in Figure 1:

  • TCP-AO—The user has configured two keys in the keychain (key 0 and key 1) with all required parameters. The keychain supports two algorithms: HMAC SHA1 and AES-128 (mandated per RFC5925). TCP fetches key 0, which is the key that is currently active, as shown by the timestamp in the figure. In the example, key 0 is configured with HMAC-SHA1.

    SHA1 takes the “secret” (from the key 0 configuration) and connection specific parameters for encryption and generates an internal traffic key.

    SHA1 again encrypts the internal traffic key and the TCP segment to generate the message digest. The digest is copied to the TCP-AO MAC field of the TCP-AO option in the TCP segment. The segment is then sent to the receiving device.

  • TCP-MD5—The user has configured a single key because TCP MD5 option supports only one key for a connection. Further, it only supports the MD5 algorithm. The MD5 algorithm takes the “secret” from the key and the TCP segment for encryption and generates a message digest. This message digest is then copied to MD5 digest field in the TCP segment and is sent to the receiving device.

Configuration

First, configure a keychain. Then apply TCP-AO to the BGP or LDP session.

To configure a keychain for TCP-AO (with one key), configure the following statement at the [edit security] hierarchy level.

To apply TCP-AO to a BGP session (with the configured keychain), configure the following statement at the [edit protocols] hierarchy level.

To apply TCP-AO to an LDP session (with the configured keychain), configure the following statement at the [edit protocols] hierarchy level.

Example: Configure a Keychain (TCP-AO)

SUMMARY This example shows you how to create a TCP-AO keychain to authenticate a BGP or LDP session.

This example uses the following hardware and software components:

  • MX Series or PTX Series routers.

  • Junos OS Release 20.3R1 or later version.

This example shows you how to create a TCP-AO keychain to authenticate a BGP or LDP session.

In this example, you can create a keychain new_auth_key with two keys, key 0 and key 1 on devices R1 and R2.

  1. To create a keychain new_auth_key with the first key, (key 0):
    Note:

    Copy the following commands, paste them into a text file, remove any line breaks and change any details necessary to match your network configuration, copy and paste the commands into the CLI.

    R1

    R2 (with send-id and recv-id values reversed)

    Consider the following parameters while configuring a keychain:

    Table 1: Keychain Parameters

    Parameter

    Description

    key-chain

    Enter a unique name.

    key

    Enter a unique key ID.

    secret

    Enter a unique password.

    start-time

    Enter a unique time in YYYY-MM-DD.HH:MM format to specify the start time of the key.

    algorithm

    Enter algorithm ao.

    send-id and recv-id

    Enter any two numbers between 0 and 255. You must not use these numbers for any other key within that keychain.

    cryptographic-algorithm

    Choose either hmac-sha-1-96 or aes-128-cmac-96.

    tcp-ao-option

    Choose enabled to enable the TCP-AO option.

  2. To add another key (key 1), after creating key 0:

    R1

    R2 (with send-id and recv-id values reversed)

  3. Enter commit from configuration mode on both devices to activate your changes.
  4. To verify the keychain new_auth_key with the 2 keys configured, use the show security authentication-key-chains command from configuration mode.

    The following is sample output based on this example:

You have successfully created a keychain!

To delete a keychain, use the delete security authentication-key-chains key-chain key-chain-name command from configuration mode.

Note:
  • You can associate only one TCP-AO keychain with a BGP or LDP session during its life-time. You cannot point another keychain to the session in its life-time.

  • We recommend a minimum interval of 30 minutes between the start-time of any two subsequent keys within a keychain.

  • Once a keychain is configured and in use by a TCP connection, you cannot change the send-id or recv-id values of its active key. However, you can change the other parameters in the key, and any new connection associated with the updated keychain will take the updated parameters for its connection establishment.

  • Starting in Junos OS Release 21.2R1, you can use the tcpao-auth-mismatch allow-without-tcpao to allow the connection establishment without TCP-AO if any one TCP endpoint does not have TCP-AO configured on it.

To display information about existing keychains (if any) from the operational mode, use the show security keychain command. Here is sample output:

Example: Use TCP-AO to Authenticate a BGP Session

SUMMARY This example shows you how to authenticate a BGP session using a TCP Authentication Option (TCP-AO) keychain.

Requirements

This example uses the following hardware and software components:

  • MX Series or PTX Series routers.

  • Junos OS Release 20.3R1 or later version.

  • Configure a keychain new_auth_key. See Configure a Keychain (TCP-AO).

Overview

BGP uses TCP as its transport protocol. TCP-AO is a method you can use to authenticate BGP sessions. You can apply a TCP-AO keychain at the BGP neighbor or at BGP group levels of the configuration hierarchy.

Topology

Figure 2: Topology for BGP AuthenticationTopology for BGP Authentication

Configuration

In this example, you associate the TCP-AO authentication keychain new_auth_key and authentication algorithm ao on both devices to authenticate a BGP session.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI.

R1

R2

Step-By-Step Procedure

  1. Enter configuration mode.

  2. Configure basic settings such as the interface IP address, interface description, a loopback address, router-ID, AS number on both devices.

    R1

    R2

  3. Configure an EBGP between R1 and R2.

    R1

    R2

  4. Associate the authentication keychain new_auth_key and the authentication algorithm ao to the BGP session on both devices.

    R1

    R2

  5. Enter commit from configuration mode on both devices.

    Once you commit the configurations statements on both devices the BGP session should establish using the TCP-AO authentication method.

Results

Confirm your configurations by using the show interfaces, show routing-options, and show protocols commands from configuration mode.

user@R1# show interfaces

user@R1# show routing-options

user@R1# show protocols

Verification

Verify BGP Session Establishment
Purpose

Confirm BGP session establishment output after enabling TCP-AO.

Action

View a BGP summary of BGP session state with the show bgp summary operational mode command.

Meaning

The highlighted output values indicate that BGP has successfully established a session with the TCP-AO authentication method 1:19 minute ago.

Verify BGP Session is Using TCP-AO
Purpose

Verify a BGP neighbor is authenticated with the TCP-AO keychain.

Action

Use the show bgp neighbor neighbor command to view configuration details for BGP peers. To filter only authentication-specific details in the output, use the pipe (|) function and match on authentication, as shown:

Meaning

The output indicates that authentication keychain new_auth_key and Authentication algorithm ao is applied to the BGP neighbor 192.0.2.2.

Example: Use TCP-AO to Authenticate an LDP Session

SUMMARY This example shows you how to authenticate an LDP session using a TCP Authentication Option (TCP-AO) keychain.

Requirements

This example uses the following hardware and software components:

  • MX Series or PTX Series routers.

  • Junos OS Release 20.3R1 or later version.

  • Configure a keychain new_auth_key. See Configure a Keychain (TCP-AO).

Overview

Label Distribution Protocol (LDP) is an MPLS signaling protocol. It allows routers to establish label-switched paths (LSPs) through a network. TCP-AO helps enhance the security of sessions created among LDP peers.

Figure 3: Topology for LDP ConfigurationTopology for LDP Configuration

Configuration

In this example, you associate the TCP-AO authentication keychain new_auth_key and authentication algorithm ao to both devices to authenticate their LDP session.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI.

R1

R2

Step-By-Step Procedure

  1. Enter configuration mode.

  2. Configure basic setup such as device interface, loopback, interface description, router ID, AS number on R1 and R2.

    R1

    R2

  3. Configure MPLS and LDP on both devices.

    R1

    R2

  4. Configure an interior gateway protocol (IGP) to advertise loopback address reachability. In this example, we configure OSPF.

    R1

    R2

  5. Associate authentication-key-chain new_auth_key and authentication-algorithm ao with the label space ID of R1 and R2.

    R1

    R2

  6. Enter commit from the configuration mode on both devices.

Results

Confirm your configuration by using the show interfaces, show routing-options and show protocols commands.

user@R1# show interfaces

user@R1# show routing-options

user@R1# show protocols

Verification

Verify LDP Session

Purpose

Verify LDP session Establishment with TCP-AO.

Action

Use the show ldp session detail operational mode command to verify the LDP session is correctly established.

Meaning

The output indicates that LDP session is established.

Example: Use TCP-AO to Authenticate RPKI Validation Sessions

Overview

Resource Public Key Infrastructure (RPKI) is a public key infrastructure framework that is designed to secure the Internet's routing infrastructure, specifically the BGP. RPKI provides a way to connect Internet number resource information, such as IP Addresses, to a trust anchor. By using RPKI, legitimate holders of number resources are able to control the operation of Internet routing protocols to prevent route hijacking and other attacks.

Starting in Junos OS Release 22.2R1, you can authenticate RPKI sessions by using TCP Authentication Option (TCP-AO) and keychain.

This example shows you how to authenticate an RPKI validation session using a TCP-AO keychain. We'll be establishing an authenticated RPKI session between a client device (R1) and a server (R2).

Requirements

This example uses the following hardware and software components:

  • 2 MX Series routers
  • Junos OS Release 22.2R1 or later version.

Topology

Figure 4: Topology for Authenticated RPKI SessionTopology for Authenticated RPKI Session

Configuration

In this example, you must associate the TCP-AO authentication keychain new_auth_key and authentication algorithm ao on both devices to authenticate an RPKI connection.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI.

R1

R2

Step-By-Step Procedure

  1. Configure basic settings such as, interfaces, a loopback address, router-ID, and AS number on both devices. On R2, we configure logical systems interface for the server.

    R1

    R2

  2. Configure a TCP session on the client device (R1) with the RPKI server (R2) with an alternative TCP port number.

    R1

  3. On the server R2, configure an RPKI session with the client R1 for origin validation.

  4. Create a keychain new_auth_key with the first key, (key 0):

    R1

    R2 (with send-id and recv-id values reversed)

  5. To add another key (key 1), after creating key 0:

    R1

    R2 (with send-id and recv-id values reversed)

  6. Apply the configured keychain new_auth_key and authentication algorithm ao on both R1 and R2.

    R1

    R2

  7. Enter commit from configuration mode on both devices to activate your changes.

  8. To verify the keychain new_auth_key with the two keys configured, use the show security authentication-key-chains command from configuration mode.

Results

Check the results of the keychain configuration on R1:

user@R1# show security authentication-key-chains

Confirm the remaining configurations applied on R1 by using the following commands:

user@R1# show interfaces

user@R1# show routing-options

Verification

Purpose

Verify the session is established with TCP-AO keychain and algorithm configured on both the peers.

Action

View a validated session by using the show validation session 192.168.12.2 detail operational mode command.

Meaning

The output indicates the session is up with the configured keychain new_auth_key.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
22.4R1
Starting in Junos OS Evolved Release 22.4R1, you can configure TCP-AO or TCP MD5 authentication with an IP subnet to include the entire range of addresses under that subnet.
22.4R1
Starting in Junos OS Evolved Release 22.4R1, TCP authentication is VRF aware.