.. _example_protocols_bgp_neighbor_authentication:

##############
Authentication
##############


.. sidebar:: Contents

  .. contents::
    :depth: 2
    :local:

Scenario to verify BGP **MD5 authentication** for neighbor sessions using
both **plain-text password** and **encrypted password** methods.

MD5 authentication protects BGP sessions against spoofed TCP segments by
requiring both peers to share a secret. Two configuration methods exist:

- **password <plain-text>**: Accepts a plain-text password that is
  automatically stored and displayed in encrypted form for security
  reasons, so the documentation shows the encrypted version.

- **encrypted-password <hash>**: Accepts an already-encrypted password
  string, useful for bulk provisioning or configuration templates where
  the plain-text password should not appear.

When the passwords do not match between peers, the TCP MD5 signature
check fails and the BGP session cannot establish. Each authentication
method is tested with both a mismatched password scenario (session fails)
and a matching password scenario (session establishes and routes are
exchanged successfully).

******************************
Test iBGP - MD5 Authentication
******************************

Description
===========

Test MD5 authentication with plain-text and encrypted passwords. Verifies
that mismatched passwords prevent session establishment, while matching
passwords allow the session to establish and routes to be exchanged.

Scenario
========

.. include:: authentication/testibgp-md5authentication

.. raw:: html

  <hr>