Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Quagga use authentication on strengthening BGP session security     - Linux Log File Browser --logrotate (Linux)

- JavaScript common array manipulation functions and usage (Programming)

- Implement firewall function on a closed Linux machine (Linux)

- Installation and configuration to compile MySQL 5.6.10 under CentOS 5.9 (Database)

- Linux command line under HTTP traffic sniffing tool: httpry (Linux)

- APR for Tomcat installation under Linux (Server)

- Linux memory Cache Analysis (Linux)

- Asynchronous JavaScript loading (Programming)

- Ubuntu 14.04 users how to install VLC 2.2.0 (Linux)

- HttpClient Tutorial (Programming)

- MySQL5.6.12 Waiting for commit lock lead to hang from the library housing problem analysis (Database)

- Quickly build and install Linux KVM system (Linux)

- How to use the command line to obtain Freely RSS source on Linux (Linux)

- Installation under Linux Mint system guidelines for Gtk (Linux)

- Learn to read the source code of vmstat (Linux)

- Binary search and modification (Programming)

- Linux operation and maintenance of the actual file system, file links (Linux)

- Help you enhance Python programming languages 27 (Programming)

- Install Git on CentOS (Linux)

- Oracle to read and modify the data block process (Database)

  Quagga use authentication on strengthening BGP session security
  Add Date : 2018-11-21      
  BGP protocol running on top of TCP, therefore, it inherits all the loopholes in the TCP connection. For example, in a BGP session, an attacker can impersonate a legitimate BGP neighbor, and then convince the other side of BGP routers share routing information to the attacker. When the attacker routes advertised to the neighbor inject bogus routing, this problem will occur. Unsuspecting neighbors will start sending the attackers live communication, in fact, this information does not whereabouts anywhere, just to be discarded. Back in 2008, YouTube actually victims of such poisoning BGP routes, and subjected to an hour-long video of a large number of service interruptions. A worse case, if the attacker is sufficiently knowledgeable people, they can be disguised as a transparent router, then sniffing through traffic for sensitive data. As you can imagine, this will have far-reaching impact.

Active BGP sessions to protect against attacks, many service providers using BGP session MD5 checksum and pre-shared key. In a protected BGP session, BGP router sends a packet generating MD5 hash value by using a pre-shared key, part of the IP and TCP header and payload. Then, MD5 hash as a TCP option field stores. After receiving the packet, the receiving router in the same way using a pre-shared key to generate its MD5 version. It places its MD5 hash value and received a package of comparison to decide whether to accept the package. For an attacker, it is almost impossible to guess a checksum or key. For BGP routers, they can ensure the legitimacy of each package before using the contents of the package.

In this tutorial, we'll show you how to use MD5 checksum and pre-shared key to strengthening security BGP session between two neighbors.


Strengthening BGP session security is fairly simple and straightforward, we will use the following router.

AS IP address of the router name resolution
router-A 100
router-B 200
Common Linux kernel native support for IPv4 and IPv6 TCP MD5 option. So, if you are from a new Linux machine built a Quagga router, TCP's MD5 function is automatically enabled. Remaining things, simply to configure Quagga its functionality. However, if you are using FreeBSD machine to Quagga or build a custom kernel, make sure the kernel opens the TCP MD5 support (eg, Linux in CONFIGTCPMD5SIG option).

Configuring Router-A Verification

We will use Quagga the CLI Shell to configure the router, only one new command that we will use is 'password'.

[Root @ router-a ~] # vtysh
router-a # conf t
router-a (config) # router bgp 100
router-a (config-router) # network
router-a (config-router) # neighbor remote-as200
router-a (config-router) # neighbor password xmodulo
Pre-shared key used in this example is 'xmodulo'. Clearly, in a production environment, you need to choose a more robust key.

Note: In the Quagga, 'service password-encryption' command is used to encrypt all the plaintext password in the configuration file (eg, password). However, when I use the command, I noticed BGP configuration, pre-shared key is still the plaintext. I'm not sure if this is Quagga restrictions, or release their own problems.

Configuring Router-B Verification

We will be in a similar manner to configure router-B.

[Root @ router-b ~] # vtysh
router-b # conf t
router-b (config) # router bgp 200
router-b (config-router) # network
router-b (config-router) # neighbor remote-as100
router-b (config-router) # neighbor password xmodulo

Verify BGP sessions

If everything is properly configured, BGP session should be up, two routers should be able to exchange routing table. At this time, all outgoing packets TCP session will carry a MD5 digest of the package contents and a key, while the other end of the summary information is automatically verified.

We can as usual by looking BGP summary to verify the active BGP session. MD5 checksum verification Quagga inside is transparent, so you can not see the level of BGP.

If you want to test BGP authentication, you can configure a routing neighbor, set its password is blank, or deliberately using the wrong pre-shared key, and then see what happens. You can also use a packet sniffer like tcpdump or the like Wireshark, analyzed by BGP session package. For example, tcpdump with "-M" option to verify the MD5 digest TCP options field.


In this tutorial, we demonstrate how simple reinforcement BGP session security between the two routes. Relative to other protocols, the configuration process is very simple. Highly recommended strengthening BGP session security, particularly if you use another AS configure BGP session time. Pre-shared key should be safely stored.
- Linux fixes fatal error: x264.h: No such file or directo (Linux)
- Linux system on how to use rsync to synchronize data (Server)
- Linux network security probing tools Hping2 (Linux)
- Linux system components Detailed log (Linux)
- Java Timer (regular calling, to achieve a fixed time to perform) (Programming)
- Linux vi command list (Linux)
- ActiveMQ5.10.2 version configuration JMX (Linux)
- VNC connection VMware vSphere ESXi 5.5 (Linux)
- Ubuntu installation 2.10.x version of Scala (Linux)
- KVM add virtual disks (Linux)
- Install the Red Hat Container Development Kit on OSX (Server)
- OpenGL ES 3.0 vertex buffer (Programming)
- EChart simple and practical control on chart (Programming)
- Compression software on a simple comparison of zip and gz (Linux)
- Java call by value and by reference (Programming)
- Fedora10 use Git version Configuration Management (Linux)
- MySQL service failed to start thinking of settlement under CentOS7 (Database)
- PostgreSQL log classification and management (Database)
- grep command usage (Linux)
- Mounting Windows shared directory system under the Linux (Linux)
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.