4.1.2 Ensure peer authentication is set to IPSEC SA

Information

BGP Neighbors should be strongly authenticated.

Rationale:

Where it is deployed, BGP routing is vital for normal operation of an organization's network infrastructure. Correct route information is required for routers to correctly direct traffic through the network.

An attacker posing as one of the target routers BGP neighbors may inject incorrect information into the route table resulting in DoS attack or loss of confidential data through a Man in the Middle attack. As well as MD5 hash based authentication, JUNOS routers can also authenticate BGP neighbors using IPSEC Security Associations. This allows more robust authentication mechanisms to be used and is recommended as an alternative to MD5 HMAC in high security environments.

Although M, T and MX series devices normally require a Services PIC or DPC installed to use IPSEC tunnels, no additional hardware is required for IPSEC SA based authentication of BGP neighbors. As with MD5 HMAC, IPSEC SA based Authentication can be configured Globally, at the Group Level or at the Neighbor Level, with more specific settings overriding less specific settings.

Because IPSEC SA Authentication is intended for use in high security environments, it is recommended that different parameters are configured for each neighbor, particularly where eBGP is used.

NOTE: BGP does not appear to be configured on the target. This check is not applicable.

Solution

To setup IPSEC SA based authentication, first configure a Security Association at the [edit security ipsec] hierarchy;

[edit security ipsec]
edit security-association <SA name>
set description <description>
set mode transport
set manual direction bidirectional protocol ah
set manual direction bidirectional authentication algorithm <authentication method>
set manual direction bidirectional authentication key <key>

The SA must be bi-directional and must be configured with the same parameters on all neighbors reachable on the intended interface. Note that only Authenticated Header is configured in this example which provides mutual authentication but does not encrypt BGP protocol messages in transit.
To configure IPSEC SA based authentication globally for BGP, issue the following command from the [edit protocols bgp] hierarchy;

[edit protocols bgp]
user@host#set ipsec-sa

To configure IPSEC SA based authentication for a group, issue the following command from the [edit protocols bgp group <group name>] hierarchy;

[edit protocols bgp group <group name>]
user@host#set ipsec-sa <SA name>

To configure IPSEC SA based authentication for a neighbor, issue the following command from the [edit protocols bgp group <group name> neighbor <neighbor ip address>] hierarchy;

[edit protocols bgp group <group name> neighbor <neighbor ip address>]
user@host#set ipsec-sa <SA name>

Default Value:

No BGP routing is configured by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: b16e9747c8ca1132331e2daeea0b44bddf001ce9a34c844484b764a73f0688c4