Latest

Home / Networks / BGP Neighbor Authentication

BGP Neighbor Authentication

November 29, 2019

 BGP Neighbor Authentication

Authentication is very important part to securely send the traffic to the neighbor and BGP uses MD5 authentication for that. Based on a password (key), BGP authentication allows routers to communicate only with trusted sources. Each message transmitted via BGP session is authenticated by MD5 using TCP between peers

What is BGP Protocol ?
Well BGP is the routing protocol where you have the route exchange between the two different AS ( Autonomous Systems ). Hope you remember the concept of AS. I will not discuss the AS in this post, if you want to understand the AS, i will cover that in another post.

So BGP is the only Exterior Gateway routing protocol which exchange routes between the two different AS. There is ASN number assigned to every ISP's publicly . It is unique on the public network and is assigned by the IP assigned governed body like we have different IP assigned bodies across the globe. 

These are all Public AS numbers. There is another AS number called as Private AS number. I will define these different AS numbers in another article soon.

Fig 1.1-  BGP Neighbor Authentication


Configurations of the routers below one by one 

NDNA_R1 router Configurations 
router bgp 100
neighbor 10.10.10.2 remote-as 200
neighbor 20.20.20.2 remote-as 300
neighbor 10.10.10.2 password NDNATest1
neighbor 20.20.20.2 password NDNATest2

NDNA_R2 router Configurations 
router bgp 200
neighbor 10.10.10.1 remote-as 100
neighbor 30.30.30.2 remote-as 300
neighbor 10.10.10.1 password NDNATest1
neighbor 30.30.30.2 password NDNATest3

NDNA_R3 router Configurations 
router bgp 300
neighbor 20.20.20.1 remote-as 100
neighbor 30.30.30.1 remote-as 200
neighbor 20.20.20.1 password NDNATest2
neighbor 30.30.30.1 password NDNATest3


NDNATest1, NDNATest2 and NDNATest3 are MD5 passwords for the respective neighbor shown in the diagram above and on the basis the configurations are setup on the respective routers.

When we configure MD5 authentication for BGP peers, the process is below 

BGP authentication uses MD5 

  • Configure a key—password; the router generates a message digest (is sent), or hash, of the key (is not sent) and the message.
  • The router generates and checks the MD5 digest of every segment that is sent on the TCP connection.
  • The router authenticates the source of each routing update packet that it receives.

No password or different password on BGP Neighbor

So now If a router has a password configured for a neighbor, but the neighbor router does not, a message such as the following displays on the console while the routers attempt to establish a BGP session between them:

%TCP-6-BADAUTH: No MD5 digest from [peer's IP address]:11003 to [local router's IP address]:179

The screen will display the following message if the routers have different passwords configured:

%TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP address]:11004 to [local router's IP address]:179

Note⭐: Make sure you will configure the password correctly on both sides in order to work this properly and if you see any error message showing above check the configuration and change as per the requirement.