On a Cisco router, the password is assigned at the time that the neighbor is configured. RFC 3562, "Key Management Considerations for the TCP MD5 Signature Option," defines how a centralized system can maintain the security of the keys for all organizations. As they say, it is not a secret if you tell a bunch of people. Regardless, it is unwise to use the same secret password for all peering sessions. This digest adds authentication to BGP and helps prevent an attacker from spoofing a BGP peer.Įven though it is a best practice to use a different password for every peering session, this can be difficult to maintain. RFC 2385, "Protection of BGP Sessions via the TCP MD5 Signature Option," defines how a simple password can be used with a message digest algorithm 5 (MD5) digest inserted into the BGP packets. One of the most widely used methods of securing BGP communications is to use a shared secret (password). Therefore guessing the next sequence number or acknowledgment (ACK) number would be difficult and improbable. One solution to this problem is to have BGP implementations use strong sequence number randomization. Threats against long-lived TCP sessions involve TCP session hijacking using sequence number predication to reset one of the peers. Attackers can spoof BGP packets and send them toward one of the BGP routers, or they could attack the TCP peering session between two BGP routers. The fact that BGP is a stateful transport layer routing protocol would normally provide some level of security, but it is also one of BGP's weaknesses. TCP session state is maintained between the two peers. BGP uses TCP port 179, so it has some inherent security in the fact that it is a connection-oriented protocol. BGP communications take place over TCP, so the protocol must rely on a properly configured IP-layer foundation. There must be complementary configurations on each side for communications to take place. A BGP peering session is not established if only one router is configured. Therefore, a router will not form a peering session with another router that it has not been configured to peer with, and both peers mutually agree upon the BGP settings. Peering is done explicitly by both BGP speakers. One technique for securing BGP sessions is the concept that BGP sessions must be configured on each peering router. More extreme measures that are not frequently used are also briefly mentioned later in this chapter. The following sections briefly describe each of these methods. Extreme measures for securing communications between BGP peers.Preventing BGP updates that contain private AS numbers.Limiting the number of prefixes received.Controlling the Time-to-Live (TTL) on BGP packets.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |