2.1.3.1 Authentication

Information

Enable message digest5 (MD5) authentication on a TCP connection between two BGP peers

Enforcing routing authentication reduces the likelihood of routing poisoning and unauthorized routers from joining BGP routing.

Solution

Configure BGP neighbor authentication where feasible.

IOSXR(config)#router bgp {local_AS_number}
IOSXR(config-bgp)#neighbor {neighbor_IP_address} remote-as {remote_AS_number}
IOSXR(config-bgp)#neighbor {neighbor_IP_address} password clear {BGP_password}

Impact:

Organizations should plan and implement enterprise security policies that require rigorous authentication methods for routing protocols. Using the 'neighbor password' for BGP enforces these policies by restricting the type of authentication between network devices.

See Also

https://workbench.cisecurity.org/benchmarks/10473

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5

Plugin: Cisco

Control ID: f114bee2fd8a338cc006c5d64edc3d961175bb51b606e554f0b66ca20a633133