BORDER GATEWAY PROTOCOL

Lab 5: BGP Authentication

Document Version: 03-4-2020

Award 1829698
“CyberTraining CIP: Cyberinfrastructure Expertise on High-throughput
Networks for Big Science Data Transfers”
Lab 5: BGP Authentication

Contents

Overview ............................................................................................................................. 3
Objectives............................................................................................................................ 3
Lab settings ......................................................................................................................... 3
Lab roadmap ....................................................................................................................... 3
1 Introduction ................................................................................................................ 3
1.1 BGP overview ....................................................................................................... 3
1.2 MD5 hash algorithm ............................................................................................. 4
1.3 BGP authentication .............................................................................................. 5
2 Lab topology................................................................................................................ 6
2.1 Lab settings........................................................................................................... 6
2.2 Open the topology and load the configuration ................................................... 7
2.3 Load zebra daemon and verify configuration .................................................... 10
3 Configure EBGP on the routers ................................................................................. 14
4 Configure and verify MD5 authentication on the routers ........................................ 19
4.1 Configure MD5 authentication .......................................................................... 19
4.2 Verify MD5 authentication ................................................................................. 21
References ........................................................................................................................ 22

Page 2
Lab 5: BGP Authentication

Overview

This lab introduces Border Gateway Protocol (BGP) authentication that is used to
safeguard routing sessions between peer routers. In this lab, External BGP (EBGP) will be
configured and verified among three Autonomous Systems (ASes). Furthermore, Message
Digest 5 (MD5) authentication will be configured on a Transmission Control Protocol (TCP)
connection between BGP peers. In this lab, the terms BGP and EBGP will be used
interchangeably since they will only be running between ASes.

Objectives

By the end of this lab, students should be able to:

1. Understand the concept of EBGP.

2. Configure and verify BGP between two ASes.
3. Use MD5 authentication between BGP peers.
4. Enable authentication mechanism in networks running BGP.

Lab settings

The information in Table 1 provides the credentials to access Client1 machine.

Table 1. Credentials to access Client1 machine.

Device Account Password

Client1 admin password

Lab roadmap

This lab is organized as follows:

1. Section 1: Introduction.
2. Section 2: Lab topology.
3. Section 3: Configure EBGP on the routers.
4. Section 4: Configure and verify MD5 authentication on the routers.

1 Introduction

1.1 BGP overview

Page 3
Lab 5: BGP Authentication

BGP is an exterior gateway protocol designed to exchange routing and reachability

information among ASes on the Internet. BGP is relevant to network administrators of
large organizations which connect to one or more Internet Service Providers (ISPs), as well
as to ISPs who connect to other network providers. In terms of BGP, an AS is referred to
as a routing domain, where all networked systems operate common routing protocols
and are under the control of a single administration1.

BGP is a form of distance vector protocol. It requires each router to maintain a table,
which stores the distance and the output interface (i.e., vector) to remote networks. BGP
makes routing decisions based on paths, network policies, or rule set configured by a
network administrator and is involved in making core routing decisions1.

Two routers that establish a BGP connection are referred to as BGP peers or neighbors.
BGP sessions run over TCP. If a BGP session is established between two neighbors in
different ASes, the session is referred to as an EBGP session1. Figure 2 shows a network
running BGP protocol (EBGP) between three routers in different ASes.

AS 100 AS 200 AS 300

EBGP EBGP

Figure 1. Routers in different ASes run EBGP to advertise routing information.

1.2 TCP MD5 authentication

MD5 hashing algorithm is a cryptographic function that takes as input a message of

arbitrary length and produces as output a 128-bit message digest of that input. It is
computationally hard to produce two messages that have the same message digest, or to
produce a message from a given message digest. The MD5 hash algorithm is a widely used
mechanism to secure TCP connection using a shared secret key between each end 2.

Consider Figure 2. The TCP segment generated by the sender contains the message and
the its digest encrypted with a shared secret key. When the receiver receives the TCP
segment, it will calculate the digest (hash) of the message in the same way the sender did,
decrypt the received digest using the shared secret key, and compare these two values.
If the digest calculated by the receiver does not match the one sent by the sender, the
session drops the segment.

Page 4
Lab 5: BGP Authentication

Sender Receiver

Hash

Message Sending Message

Message Compare

Hash Encrypt digest digest Decrypt

Figure 2. MD5 hash algorithm.

1.3 BGP authentication

BGP authentication enables the routers to share information only if they can verify that
they are talking to a trusted source, based on a password (key). TCP MD5 authentication
between BGP peers verifies each transmitted message sent via the BGP session. During
an authenticated BGP session, BGP peers must be configured with the same password to
establish BGP neighbor relationship3.

Consider Figure 3. routers that are configured with the same password establish BGP
neighbor relationship (see Figure 3a), whereas, routers that are configured with different
password will not be able to maintain BGP neighbor relationship (see Figure 3b).

(a)

(b)
Figure 3.a and 3.b. BGP authentication.

Page 5
Lab 5: BGP Authentication

2 Lab topology

Consider Figure 4. The lab topology consists of three networks, Network 1, Network 2,
and Network 3 that lie within AS 100, AS 200, and AS 300, respectively. An MD5
authentication system has been used to authenticate BGP peer relationship. This allows
the routers to exchange routing information via EBGP with validated peers only.

Network 2

h2

.10
h2-eth0

s2-eth1
AS 200
192.168.2.0/24 s2

s2-eth2

r2-eth0 .1

r2-eth1 r2-eth2
.2 .1
r2
r1-eth1 r3-eth1
.1 .2
r1 r3

.1 .1
r1-eth0 r3-eth0

s1-eth1 192.168.1.0/24 192.168.3.0/24 s3-eth2

AS 100 s1 s3 AS 300
s1-eth2 s3-eth1

h1-eth0 .10 h3-eth0 .10

h1 h3

Network 1 Network 3
Figure 4. Lab topology.

2.1 Lab settings

Routers and hosts are already configured according to the IP addresses shown in Table 2.

Table 2. Topology information.

Device Interface IIPV4 Address Subnet Default
gateway
r1-eth0 192.168.1.1 /24 N/A
r1 (Network 1)
r1-eth1 192.168.12.1 /30 N/A

Page 6
Lab 5: BGP Authentication

r2-eth0 192.168.2.1 /24 N/A

r2 (Network 2) r2-eth1 192.168.12.2 /30 N/A

r2-eth2 192.168.23.1 /30 N/A

r3-eth0 192.168.3.1 /24 N/A

r3 (Network 3)
r3-eth1 192.168.23.2 /30 N/A

h1 h1-eth0 192.168.1.10 /24 192.168.1.1

h2 h2-eth0 192.168.2.10 /24 192.168.2.1
h3 h3-eth0 192.168.3.10 /24 192.168.3.1

2.2 Open the topology and load the configuration

Step 1. Start by launching Miniedit by clicking on Desktop’s shortcut. When prompted for
a password, type password .

Figure 5. MiniEdit shortcut.

Step 2. On Miniedit’s menu bar, click on File then open to load the lab’s topology. Locate
the Lab5.mn topology file in the default directory, /home/frr/BGP_Labs/lab5 and click on
Open.

Page 7
Lab 5: BGP Authentication

Figure 6. MiniEdit’s Open dialog.

At this point the topology is loaded with all the required network components. You will
execute a script that will load the configuration of the routers.

Step 3. Open the Linux terminal.

Figure 7. Opening Linux terminal.

Step 4. Click on the Linux’s terminal and navigate into BGP_Labs/lab5 directory by issuing
the following command. This folder contains a configuration file and the script
responsible for loading the configuration. The configuration file will assign the IP
addresses to the routers’ interfaces. The cd command is short for change directory
followed by an argument that specifies the destination directory.

cd BGP_Labs/lab5

Figure 8. Entering the BGP_Labs/lab5 directory.

Step 5. To execute the shell script, type the following command. The argument of the
program corresponds to the configuration zip file that will be loaded in all the routers in
the topology.

Page 8
Lab 5: BGP Authentication

./config_loader.sh lab5_conf.zip

Figure 9. Executing the shell script to load the configuration.

Step 6. Type the following command to exit the Linux terminal.

exit

Figure 10. Exiting from the terminal.

Step 7. At this point hosts h1, h2 and h3 interfaces are configured. To proceed with the
emulation, click on the Run button located in lower left-hand side.

Figure 11. Starting the emulation.

Step 8. Click on Mininet’s terminal, i.e., the one launched when MiniEdit was started.

Figure 12. Opening Mininet’s terminal.

Step 9. Issue the following command to display the interface names and connections.

links

Page 9
Lab 5: BGP Authentication

Figure 13. Displaying network interfaces.

In Figure 12, the link displayed within the gray box indicates that interface eth1 of switch
s1 connects to interface eth0 of router r1 (i.e., s1-eth1<->r1-eth0).

2.3 Load zebra daemon and verify configuration

You will verify the IP addresses listed in Table 2 and inspect the routing table of routers
r1, r2, and r3.

Step 1. Hold right-click on host h1 and select Terminal. This opens the terminal of host
h1 and allows the execution of commands in that host.

Figure 14. Opening a terminal on host h1.

Page 10
Lab 5: BGP Authentication

Step 2. On host h1 terminal, type the command shown below to verify that the IP address
was assigned successfully. You will verify that host h1 has two interfaces, h1-eth0
configured with the IP address 192.168.1.10 and the subnet mask 255.255.255.0.

ifconfig

Figure 15. Output of ifconfig command.

Step 3. On host h1 terminal, type the command shown below to verify that the default
gateway IP address is 192.168.1.1.

route

Figure 16. Output of route command.

Page 11
Lab 5: BGP Authentication

Step 4. In order to verify hosts h2 and h3, proceed similarly by repeating from step 1 to
step 3 on hosts h2 and h3 terminals. Similar results should be observed.

Step 5. You will validate that the router interfaces are configured correctly according to
Table 2. In order to verify router r1, hold right-click on router r1 and select Terminal.

Figure 17. Opening a terminal on router r1.

Step 6. In this step, you will start zebra daemon, which is a multi-server routing software
that provides TCP/IP based routing protocols. The configuration will not be working if you
do not enable zebra daemon initially. In order to start the zebra, type the following
command:

zebra

Figure 18. Starting zebra daemon.

Step 7. After initializing zebra, vtysh should be started in order to provide all the CLI
commands defined by the daemons. To proceed, issue the following command:

vtysh

Page 12
Lab 5: BGP Authentication

Figure 19. Starting vtysh on router r1.

Step 8. Type the following command on router r1 terminal to verify the routing table of
router r1. It will list all the directly connected networks. The routing table of router r1
does not contain any route to the network attached to routers r2 (192.168.2.0/24) and
router r3 (192.168.3.0/24) as there is no routing protocol configured yet.

show ip route

Figure 20. Displaying routing table of router r1.

Step 9. Router r2 is configured similarly to router r1 but, with different IP addresses (see
Table 2). Those steps are summarized in the following figure. To proceed, in router r2
terminal, issue the commands depicted below. At the end, you will verify all the networks
directly connected networks of router r2.

Figure 21. Displaying routing table of router r2.

Page 13
Lab 5: BGP Authentication

Step 10. Router r3 is configured similarly to router r1 but, with different IP addresses (see
Table 2). Those steps are summarized in the following figure. To proceed, in router r3
terminal, issue the commands depicted below. At the end, you will verify all the directly
connected networks of router r3.

Figure 22. Displaying routing table of router r3.

3 Configure EBGP on the routers

In this section, you will configure EBGP on the routers that are hosted in different ASes.
You will assign BGP neighbors to allow the routers to exchange BGP routes. Furthermore,
routers r1, r2, and r3 will advertise their Local Area Networks (LANs) via BGP so that the
LANs are learned by peer routers.

Step 1. To configure BGP routing protocol, you need to enable the BGP daemon first.
In router r1, type the following command to exit the vtysh session:

exit

Figure 23. Exiting the vtysh session.

Step 2. Type the following command on router r1 terminal to enable and to start BGP
routing protocol.

bgpd

Figure 24. Starting BGP daemon.

Step 3. In order to enter to router r1 terminal, type the following command:

Page 14
Lab 5: BGP Authentication

vtysh

Figure 25. Starting vtysh on router r1.

Step 4. To enable router r1 configuration mode, issue the following command:

configure terminal

Figure 26. Enabling configuration mode on router r1.

Step 5. Router 1 is in AS 100. In order to configure BGP, type the following command:

router bgp 100

Figure 27. Configuring BGP on router r1.

Step 6. To configure a BGP neighbor to router r1 (AS 100), type the command shown
below. This command specifies the neighbor IP address (192.168.12.2) and the AS number
of the remote BGP peer (AS 200).

neighbor 192.168.12.2 remote-as 200

Page 15
Lab 5: BGP Authentication

Figure 28. Assigning BGP neighbor to router r1.

Step 7. In this step, router r1 will advertise LAN 192.168.1.0/24 to its BGP peers. To do so,
issue the following command:

network 192.168.1.0/24

Figure 29. Advertising local network on router r1.

Step 8. Type the following command to exit from the configuration mode.

end

Figure 30. Exiting from configuration mode.

Step 9. Type the following command to verify BGP networks. You will observe the LAN
network of router r1.

show ip bgp

Page 16
Lab 5: BGP Authentication

Figure 31. Verifying BGP networks on router r1.

Step 10. Type the following command to verify BGP neighbors. You will verify that the
neighbor IP address is 192.168.12.2. The corresponding AS number is 200.

show ip bgp neighbors

Figure 32. Verifying BGP neighbors on router r1.

Step 11. Follow from step 1 to step 8 but with different metrics in order to configure BGP
on router r2. All these steps are summarized in the following figure.

Page 17
Lab 5: BGP Authentication

Figure 33. Configuring BGP on router r2.

Step 12. Follow from step 1 to step 8 in order to configure BGP on router r3. All these
steps are summarized in the following figure.

Figure 34. Configure BGP on router r3.

Step 13. In router r3 terminal, type the following command to verify the routing table of
router r3. The LANs of router r1 (192.168.1.0/24) and router r2 (192.168.2.0/24) are
advertised to router r3 through EBGP.

show ip route

Figure 35. Verifying the routing table of router r3.

Page 18
Lab 5: BGP Authentication

Step 14. On host h3 terminal, perform a connectivity test by running the command shown
below. To stop the test, press Ctrl+c . The result will show a successful connectivity test.

ping 192.168.1.10

Figure 36. Connectivity test using ping command.

4 Configure and verify MD5 authentication on the routers

In this section, you will employ MD5 algorithm to authenticate your BGP peer connection.
You will configure BGP neighbor authentication on the routers so that each router
authenticates the source of each routing update packet that it receives. This mechanism
is accomplished by exchanging an authentication key (password) between the source and
destination routers.

4.1 Configure MD5 authentication

Step 1. To enable router r1 configuration mode, issue the following command:

configure terminal

Figure 37. Enabling configuration mode on router r1.

Step 2. In order to configure BGP, type the following command:

router bgp 100

Figure 38. Configuring BGP on router r1.

Page 19
Lab 5: BGP Authentication

Step 3. In router r1 terminal, type the following command to set a password (123) to the
neighbor IP address 192.168.12.2.

neighbor 192.168.12.2 password 123

Figure 39. Setting password for BGP peering with neighbor 192.168.12.2.

Step 4. Type the following command to exit from configuration mode.

end

Figure 40. Exiting from configuration mode.

Step 5. Follow from step 1 to step 4 but with different metrics in order to configure BGP
on router r2. Set password 123 for both the neighbors connected to router r2. All the
steps are summarized in the following figure.

Figure 41. Configuring BGP authentication on router r2.

Step 6. Follow from step 1 to step 4 but with different metrics in order to configure BGP
on router r3. Set the password 345 for the neighbor with IP address 192.168.23.1 (router
r2). The configured password on router r3 is different from the one configured on router
r2 (123). All the steps are summarized in the following figure.

Figure 42. Configuring BGP authentication on router r3.

Page 20
Lab 5: BGP Authentication

4.2 Verify MD5 authentication

Step 1. On host h3 terminal, perform a connectivity test by running the command shown
below. To stop the test, press Ctrl+c . The results show that host h3 cannot reach host
h1.

ping 192.168.1.10

Figure 43. Connectivity test using ping command.

Step 2. Type the following command to verify the routing table of router r3. You will
notice that the routing table does not contain any route to the networks 192.168.1.0/24
and 192.168.2.0/24. The connection between routers r2 and r3 has dropped as the
passwords exchanged between router r2 and router r3 are different.

show ip route

Figure 44. Displaying the routing table of router r3.

Step 3. Type the following command to verify the routing table of router r2. The routing
table does not have any route to the network 192.168.3.0/24. Router r2 has dropped the
connection with router r3 as the password of router r2 did not match with the one
configured on router r3.

show ip route

Page 21
Lab 5: BGP Authentication

Figure 45. Displaying the routing table of router r2.

Step 4. In router r2 terminal, type the following command to verify BGP neighbors. Scroll
down to verify the established connections. You will notice that two connections are
established with router r2 and one connection is dropped due to BGP authentication.

show ip bgp neighbors

Figure 46. Verifying BGP neighbors of router r2.

This concludes Lab 5. Stop the emulation and then exit out of MiniEdit.

References

1. A. Tanenbaum, D. Wetherall, “Computer networks”, 5th Edition, Pearson, 2012.

2. J. Stewart III, BGP4 Inter-Domain Routing in the Internet, Addison-Wesley
Longman Publishing Co., Inc., 1998.

Page 22
Lab 5: BGP Authentication

3. Juniper networks, “BGP route authentication”, 2020. [Online]. Available:

https://www.juniper.net/documentation/en_US/junos/topics/topic-
map/bgp_security.html
4. Cisco, “Configuring authentication for BGP”, 2019. [Online]. Available:
https://community.cisco.com/t5/networking-documents/configuring-
authentication-for-bgp/ta-p/3108287
5. Cisco, “MD5 authentication between BGP peers configuration example”, 2010.
[Online]. Available:
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-
bgp/112188-configure-md5-bgp-00.html#intro

Page 23