4.1.1 Ensure peer authentication is set to MD5

Information

BGP Peers should be authenticated.

Rationale:

Where it is deployed, BGP routing is vital for normal operation of an organization's network infrastructure. Correct route information is required for routers to correctly direct traffic through the network. An attacker posing as one of the target routers BGP neighbors may inject incorrect information into the route table resulting in DOS attack or loss of confidential data through a Man in the Middle attack.

On Juniper routers (as well as routers from other manufacturers such as Cisco or Brocade) it is possible to authenticate neighbors using an MD5 digest of elements of the TCP segment, creating a signature which can be verified without ever needing to transmit the password. This method is described in RFC 2385.

Solution

If you have deployed BGP in your network you should authenticate all neighbors. Authentication can be configured at the Global, Group or Neighbor level, with more specific settings overriding less specific. For eBGP a different MD5 password should be configured for each neighbor or peer. For iBGP neighbors the same key may be used globally or different keys may be used by group or neighbor as appropriate to your infrastructure. To configure BGP Authentication at the globally enter the following command at the [edit protocols bgp] hierarchy:

[edit protocols bgp]
user@host#set authentication-key <md5 key>

To configure BGP Authentication at the group level enter the following command at the [edit protocols bgp] hierarchy:

[edit protocols bgp]
user@host#set group <group name> authentication-key <md5 key>

Finally, to configure BGP Authentication at the neighbor level enter the following command at the [edit protocols bgp group <group name>] hierarchy:

[edit protocols bgp group <group name>]
user@host#set neighbor <neighbor IP> authentication-key <md5 key>

Remember that more specific settings override less specific settings, so a key set at the neighbor level will be used even if keys are also set at the group and global levels.

Default Value:

No BGP routing is configured by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: 5a753867ef3fb2b4af1d2c74adcae53d8d2800ce7dbf3491d891c78c48e07338