Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Authentication for Routing Protocols

You can configure an authentication method and password for routing protocol messages for many routing protocols including BGP, IS-IS, OSPF, RIP, and RSVP. To prevent the exchange of unauthenticated or forged packets, routers must ensure that they form routing protocol relationships (peering or neighboring relationships) to trusted peers. One way of doing this is by authenticating routing protocol messages. Neighboring routers use the password to verify the authenticity of packets sent by the protocol from the router or from a router interface.

This topic provides a high-level overview and some basic examples for authenticating routing protocols. For detailed information about configuring authentication for a specific routing protocol, see the user guide for that protocol.

Authentication Methods for Routing Protocols

Some routing protocols—BGP, IS-IS, OSPF, RIP, and RSVP—enable you to configure an authentication method and password. Neighboring routers use the password to verify the authenticity of packets that the protocol sends from the router or from a router interface. The following authentication methods are supported:

  • Simple authentication (IS-IS, OSPF, and RIP)—Uses a simple text password. The receiving router uses an authentication key (password) to verify the packet. Because the password is included in the transmitted packet, this method of authentication is relatively insecure. We recommend that you avoid using this authentication method.

  • MD5 and HMAC-MD5 (BGP, IS-IS, OSPF, RIP, and RSVP)—MD5 creates an encoded checksum that is included in the transmitted packet. HMAC-MD5, which combines HMAC authentication with MD5, adds the use of an iterated cryptographic hash function. With both types of authentication, the receiving router uses an authentication key (password) to verify the packet. HMAC-MD5 authentication is defined in RFC 2104, HMAC: Keyed-Hashing for Message Authentication.

In general, authentication passwords are text strings consisting of some maximum number of letters and digits. Passwords can include any ASCII characters. If you include spaces in a password, enclose all characters in quotation marks (" ").

Example: Configure the Authentication Key for BGP and IS-IS Routing Protocols

The main task of a router is to use its routing and forwarding tables to forward user traffic to its intended destination. Attackers can send forged routing protocol packets to a router with the intent of changing or corrupting the contents of its routing table or other databases, which in turn can degrade the functionality of the router and the network. To prevent such attacks, routers must ensure that they form routing protocol relationships (peering or neighboring relationships) to trusted peers. One way of doing this is by authenticating routing protocol messages. We strongly recommend using authentication when configuring routing protocols.

Junos OS Evolved supports HMAC-MD5 authentication for BGP, IS-IS, OSPF, RIP, and RSVP. HMAC-MD5 uses a secret key combined with the data being transmitted to compute a hash. The computed hash is transmitted along with the data. The receiver uses the matching key to recompute and validate the message hash. If an attacker has forged or modified the message, the hash will not match, and the data is discarded.

In the following examples, we configure BGP as the exterior gateway protocol (EGP) and IS-IS as the interior gateway protocol (IGP). If you use OSPF, configure it similarly to the IS-IS configuration shown.

Configure BGP

The following example shows the configuration of a single authentication key for the different BGP peer groups. You can also configure BGP authentication at the neighbor or routing instance levels, or for all BGP sessions. As with any security configuration, there is a trade-off between the degree of granularity (and to some extent, the degree of security) and the amount of management necessary to maintain the system.

This example also configures a number of tracing options for routing protocol events and errors, which can be good indicators of attacks against routing protocols. These events include protocol authentication failures, which might point to an attacker. The attacker may be sending spoofed or otherwise malformed routing packets to the router in an attempt to elicit a particular behavior.

Configure IS-IS

Although Junos OS Evolved supports authentication for all IGPs, some IGPs are inherently more secure than others. Most service providers use OSPF or IS-IS to allow fast internal convergence and scalability and to use traffic engineering capabilities with MPLS. Because IS-IS does not operate at the network layer, it is more difficult to spoof than OSPF. OSPF is encapsulated in IP and is therefore subject to remote spoofing and denial of service (DoS) attacks.

The following example configures authentication for IS-IS. It also configures a number of tracing options for routing protocol events and errors, which can be good indicators of attacks against routing protocols. These events include protocol authentication failures, which might point to an attacker. The attacker may be sending spoofed or otherwise malformed routing packets to the router in an attempt to elicit a particular behavior.

Configure the Authentication Key Update Mechanism for Routing Protocols

You can configure an authentication key update mechanism for the BGP, LDP, and IS-IS routing protocols. This mechanism enables you to update authentication keys without interrupting associated routing and signaling protocols such as OSPF and RSVP.

To configure this feature, include the authentication-key-chains statement at the [edit security] hierarchy level. To apply the key chain, you must configure the key chain identifier and the key chain algorithm at the appropriate hierarchy level for the protocol.

The following sections provide more information about configuring authentication key updates for routing protocols. For detailed information about configuring authentication key updates for a specific routing protocol, see the user guide for that protocol.

Configure Authentication Key Updates

To configure the authentication key update mechanism, include the key-chain statement at the [edit security authentication-key-chains] hierarchy level, and specify the key option to create a keychain consisting of several authentication keys.

key-chain—Assign a name to the keychain mechanism. You reference this name at the appropriate hierarchy levels for the protocol to associate unique authentication key-chain attributes, as specified using the following options:

  • algorithm—Authentication algorithm for IS-IS.

  • key—Integer value that uniquely identifies each key within a keychain. The range is from 0 through 63.

  • options—(IS-IS only) Protocol transmission encoding format for encoding the message authentication code in routing protocol packets.

  • secret—Password in encrypted text or plain text format. Even if you enter the secret data in plain-text format, the secret always appears in encrypted format.

  • start-time—Start time for authentication key transmission, specified in UTC. The start time must be unique within the keychain.

Configure BGP and LDP for Authentication Key Updates

To configure the authentication key update mechanism for the BGP and LDP routing protocols, include the authentication-key-chain statement within the [edit protocols (bgp | ldp)] hierarchy level. Including the authentication-key-chain statement associates each routing protocol with the [edit security authentication-key-chains] authentication keys. You must also configure the authentication-algorithm statement and specify the algorithm. For example:

Note:

When configuring the authentication key update mechanism for BGP, you cannot commit the 0.0.0.0/allow statement with authentication keys or keychains. If you try this action, the CLI issues a warning, and the commit fails.