Authentication for Routing Protocols
You can configure an authentication method and password for routing protocol messages for many routing protocols including BGP, IS-IS, OSPF, RIP, and RSVP. To prevent the exchange of unauthenticated or forged packets, routers must ensure that they form routing protocol relationships (peering or neighboring relationships) to trusted peers. One way of doing this is by authenticating routing protocol messages. Neighboring routers use the password to verify the authenticity of packets sent by the protocol from the router or from a router interface.
This topic provides a high-level overview and some basic examples for authenticating routing protocols. For detailed information about configuring authentication for a specific routing protocol, see the user guide for that protocol.
Authentication Methods for Routing Protocols
Some routing protocols—BGP, IS-IS, OSPF, RIP, and RSVP—enable you to configure an authentication method and password. Neighboring routers use the password to verify the authenticity of packets that the protocol sends from the router or from a router interface. The following authentication methods are supported:
-
Simple authentication (IS-IS, OSPF, and RIP)—Uses a simple text password. The receiving router uses an authentication key (password) to verify the packet. Because the password is included in the transmitted packet, this method of authentication is relatively insecure. We recommend that you avoid using this authentication method.
-
MD5 and HMAC-MD5 (BGP, IS-IS, OSPF, RIP, and RSVP)—MD5 creates an encoded checksum that is included in the transmitted packet. HMAC-MD5, which combines HMAC authentication with MD5, adds the use of an iterated cryptographic hash function. With both types of authentication, the receiving router uses an authentication key (password) to verify the packet. HMAC-MD5 authentication is defined in RFC 2104, HMAC: Keyed-Hashing for Message Authentication.
In general, authentication passwords are text strings consisting of some maximum number of letters and digits. Passwords can include any ASCII characters. If you include spaces in a password, enclose all characters in quotation marks (" ").
Junos-FIPS has special password requirements. FIPS passwords must be between 10 and 20 characters in length. Passwords must use at least three of the five defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and other special characters). If Junos-FIPS is installed on the router, you cannot configure passwords unless they meet this standard.
Example: Configure the Authentication Key for BGP and IS-IS Routing Protocols
The main task of a router is to use its routing and forwarding tables to forward user traffic to its intended destination. Attackers can send forged routing protocol packets to a router with the intent of changing or corrupting the contents of its routing table or other databases, which in turn can degrade the functionality of the router and the network. To prevent such attacks, routers must ensure that they form routing protocol relationships (peering or neighboring relationships) to trusted peers. One way of doing this is by authenticating routing protocol messages. We strongly recommend using authentication when configuring routing protocols.
Junos OS supports HMAC-MD5 authentication for BGP, IS-IS, OSPF, RIP, and RSVP. HMAC-MD5 uses a secret key combined with the data being transmitted to compute a hash. The computed hash is transmitted along with the data. The receiver uses the matching key to recompute and validate the message hash. If an attacker has forged or modified the message, the hash will not match, and the data is discarded.
In the following examples, we configure BGP as the exterior gateway protocol (EGP) and IS-IS as the interior gateway protocol (IGP). If you use OSPF, configure it similarly to the IS-IS configuration shown.
Configure BGP
The following example shows the configuration of a single authentication key for the different BGP peer groups. You can also configure BGP authentication at the neighbor or routing instance levels, or for all BGP sessions. As with any security configuration, there is a trade-off between the degree of granularity (and to some extent, the degree of security) and the amount of management necessary to maintain the system.
This example also configures a number of tracing options for routing protocol events and errors, which can be good indicators of attacks against routing protocols. These events include protocol authentication failures, which might point to an attacker. The attacker may be sending spoofed or otherwise malformed routing packets to the router in an attempt to elicit a particular behavior.
[edit] protocols { bgp { group ibgp { type internal; traceoptions { file bgp-trace size 1m files 10; flag state; flag general; } local-address 10.10.5.1; log-updown; neighbor 10.2.1.1; authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; } group ebgp { type external; traceoptions { file ebgp-trace size 10m files 10; flag state; flag general; } local-address 10.10.5.1; log-updown; peer-as 2; neighbor 10.2.1.2; authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; } } }
Configure IS-IS
Although Junos OS supports authentication for all IGPs, some IGPs are inherently more secure than others. Most service providers use OSPF or IS-IS to allow fast internal convergence and scalability and to use traffic engineering capabilities with MPLS. Because IS-IS does not operate at the network layer, it is more difficult to spoof than OSPF. OSPF is encapsulated in IP and is therefore subject to remote spoofing and denial of service (DoS) attacks.
The following example configures authentication for IS-IS. It also configures a number of tracing options for routing protocol events and errors, which can be good indicators of attacks against routing protocols. These events include protocol authentication failures, which might point to an attacker. The attacker may be sending spoofed or otherwise malformed routing packets to the router in an attempt to elicit a particular behavior.
[edit] protocols { isis { level 1 { authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; # SECRET-DATA authentication-type md5; } interface at-0/0/0.131 { lsp-interval 50; level 2 disable; level 1 { metric 3; hello-interval 5; hold-time 60; } } interface lo0.0 { passive; } traceoptions { file isis-trace size 10m files 10; flag normal; flag error; } } }
Configure the Authentication Key Update Mechanism for Routing Protocols
You can configure an authentication key update mechanism for the BGP, LDP, and IS-IS routing protocols. This mechanism enables you to update authentication keys without interrupting associated routing and signaling protocols such as OSPF and RSVP.
To configure this feature, include the authentication-key-chains
statement at the [edit security]
hierarchy level. To apply the key
chain, you must configure the key chain identifier and the key chain algorithm at the
appropriate hierarchy level for the protocol.
The following sections provide more information about configuring authentication key updates for routing protocols. For detailed information about configuring authentication key updates for a specific routing protocol, see the user guide for that protocol.
Configure Authentication Key Updates
To configure the authentication key update mechanism, include the
key-chain
statement at the [edit security
authentication-key-chains]
hierarchy level, and specify the
key
option to create a keychain consisting of several
authentication keys.
[edit security authentication-key-chains] key-chain key-chain-name { key key { algorithm (hmac-sha-1 | md5) options (basic | isis-enhanced) secret secret-data; start-time yyyy-mm-dd.hh:mm:ss; } }
key-chain
—Assign a name to the keychain mechanism. You reference
this name at the appropriate hierarchy levels for the protocol to associate
unique authentication key-chain
attributes, as specified using
the following options:
-
algorithm
—Authentication algorithm for IS-IS. -
key
—Integer value that uniquely identifies each key within a keychain. The range is from 0 through 63. -
options
—(IS-IS only) Protocol transmission encoding format for encoding the message authentication code in routing protocol packets. -
secret
—Password in encrypted text or plain text format. Even if you enter the secret data in plain-text format, the secret always appears in encrypted format. -
start-time
—Start time for authentication key transmission, specified in UTC. The start time must be unique within the keychain.
Configure BGP and LDP for Authentication Key Updates
To configure the authentication key update mechanism for the BGP and LDP routing
protocols, include the authentication-key-chain
statement
within the [edit protocols (bgp | ldp)]
hierarchy level.
Including the authentication-key-chain
statement associates
each routing protocol with the [edit security
authentication-key-chains]
authentication keys. You must also
configure the authentication-algorithm
statement and specify
the algorithm. For example:
[edit protocols] bgp { group group-name { neighbor address { authentication-algorithm algorithm; authentication-key-chain key-chain-name; } } } ldp { session session-addr { authentication-algorithm algorithm; authentication-key-chain key-chain-name; } }
When configuring the authentication key update mechanism for BGP, you cannot
commit the 0.0.0.0/allow
statement with authentication keys
or keychains. If you try this action, the CLI issues a warning, and the
commit fails.