Information
Enable message digest5 (MD5) authentication on a TCP connection between two BGP peers
Rationale:
Enforcing routing authentication reduces the likelihood of routing poisoning and unauthorized routers from joining BGP routing.
Solution
Configure BGP neighbor authentication where feasible.
hostname(config)#router bgp <bgp_as-number>
hostname(config-router)#neighbor <bgp_neighbor-ip | peer-group-name> password <password>
Impact:
Organizations should plan and implement enterprise security policies that require rigorous authentication methods for routing protocols. Using the 'neighbor password' for BGP enforces these policies by restricting the type of authentication between network devices.
Default Value:
Not set
References:
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/command/bgp-n1.html#GUID-A8900842-ECF3-42D3-B188-921BE0EC060B
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/command/bgp-m1.html#GUID-159A8006-F0DF-4B82-BB71-C39D2C134205
Notes:
MD5 authentication between two BGP peers, meaning that each segment sent on the TCP connection between the peers is verified. MD5 authentication must be configured with the same password on both BGP peers.