Configuring Bgp Security - Huawei Quidway NetEngine80E Configuration Manual
Universal service router, ip routing
Hide thumbs
Also See for Quidway NetEngine80E:
- Configuration manual - reliability (1432 pages) ,
- Configuration manual (341 pages) ,
- Installation manual (169 pages)
Advertisement
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Routing
Authentication type configured: None
Last keepalive received: 2012-03-06 19:17:37 UTC-8:00
Last keepalive sent
Last update
Last update
Minimum route advertisement interval is 15 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured
8.23 Configuring BGP Security
Authentication can be implemented during the establishment of a TCP connection to enhance
BGP security.
8.23.1 Before You Start
Before configuring BGP security, familiarize yourself with the usage scenario, complete the pre-
configuration tasks, and obtain the data required for the configuration.
Applicable Environment
Message digest 5 (MD5) authentication, keychain authentication, or Generalized TTL Security
Mechanism (GTSM) can be configured on a BGP network to enhance BGP security.
l
l
l
Issue 02 (2014-09-30)
KeepAlive messages
Notification messages
Refresh messages
received: 2012-03-06 19:17:43 UTC-8:00
sent
NOTE
By default, authentication is not configured for BGP. Configuring authentication is recommended to ensure
system security.
MD5 authentication
BGP uses TCP as the transport protocol and considers a packet valid as long as the source
address, destination address, source port, destination port, and TCP sequence number of
the packet are correct. Most parameters in a packet can be easily obtained by attackers. To
protect BGP against attacks, MD5 authentication can be used during TCP connection
establishment between BGP peers to reduce the possibility of attacks.
To prevent the MD5 password set on a BGP peer from being decrypted, you need to update
the MD5 password periodically.
Keychain authentication
A keychain consists of multiple authentication keys, each of which contains an ID and a
password. Each key has a lifecycle. Based on the life cycle of a key, you can dynamically
select different authentication keys from the keychain. After keychains with the same rules
are configured on the two ends of a BGP connection, the keychains can dynamically select
authentication keys to enhance BGP attack defense.
BGP GTSM
The Generalized TTL Security Mechanism (GTSM) is used to prevent attacks by using the
TTL detection. If an attack simulates BGP packets and sends a large number of packets to
a router, an interface through which the router receives the packets directly sends the
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
: 2012-03-06 19:17:37 UTC-8:00
: 2012-03-06 19:17:37 UTC-8:00
8 BGP Configuration
1
0
0
864
Hide quick links:
Advertisement
