Authentication
Scenario to verify BGP MD5 authentication for neighbor sessions using both plain-text password and encrypted password methods.
MD5 authentication protects BGP sessions against spoofed TCP segments by requiring both peers to share a secret. Two configuration methods exist:
password <plain-text>: Accepts a plain-text password that is automatically stored and displayed in encrypted form for security reasons, so the documentation shows the encrypted version.
encrypted-password <hash>: Accepts an already-encrypted password string, useful for bulk provisioning or configuration templates where the plain-text password should not appear.
When the passwords do not match between peers, the TCP MD5 signature check fails and the BGP session cannot establish. Each authentication method is tested with both a mismatched password scenario (session fails) and a matching password scenario (session establishes and routes are exchanged successfully).
Test iBGP - MD5 Authentication
Description
Test MD5 authentication with plain-text and encrypted passwords. Verifies that mismatched passwords prevent session establishment, while matching passwords allow the session to establish and routes to be exchanged.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.10.0.100/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX1/jchpr6Ug1yewBSuguIclFYK02i48mRls= set protocols bgp 20 neighbor peer remote-address 10.10.0.200 set protocols bgp 20 neighbor peer remote-as 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 1.1.1.1/24 set interfaces ethernet eth0 address 10.10.0.200/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX1+uchhlVLcL7aCb60ngZxR10UaSVXYQkEc= set protocols bgp 20 neighbor peer remote-address 10.10.0.100 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 redistribute connected set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Attention
Verify iBGP session does NOT establish with mismatched password.
Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:
10.10.0.200.*never.*(Connect|Active)Show output
IPv4 Unicast Summary: BGP router identifier 10.10.0.100, local AS number 20 VRF default vrf-id 0 BGP table version 0 RIB entries 0, using 0 bytes of memory Peers 1, using 24 KiB of memory Neighbor LocalAddr V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State PfxRcd PfxSnt Desc 10.10.0.200 10.10.0.100 4 20 0 0 0 0 0 never Connect 0 0 N/A Total number of neighbors 1
Attention
Verify DUT0 does NOT receive route 1.1.1.0/24.
Step 4: Run command protocols bgp show ip at DUT0 and check if output does not match the following regular expressions:
1.1.1.0/24Show output
No BGP prefixes displayed, 0 exist
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.10.0.100/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX1/RW2afE5cfVYfe+I8poAvi7uVJXhSRnjw= set protocols bgp 20 neighbor peer remote-address 10.10.0.200 set protocols bgp 20 neighbor peer remote-as 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 1.1.1.1/24 set interfaces ethernet eth0 address 10.10.0.200/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX18lKNHxFQHVUDBNz2TR3YvqxhqJpAYyPnc= set protocols bgp 20 neighbor peer remote-address 10.10.0.100 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 redistribute connected set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Attention
Verify iBGP session establishes with matching password.
Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:
10.10.0.200.*EstablishedShow output
IPv4 Unicast Summary: BGP router identifier 10.10.0.100, local AS number 20 VRF default vrf-id 0 BGP table version 2 RIB entries 3, using 384 bytes of memory Peers 1, using 24 KiB of memory Neighbor LocalAddr V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State PfxRcd PfxSnt Desc 10.10.0.200 10.10.0.100 4 20 5 4 2 0 0 00:00:01 Established 2 0 FRRouting/10.4.1 Total number of neighbors 1
Attention
Verify DUT0 receives route 1.1.1.0/24 from DUT1.
Step 4: Run command protocols bgp show ip at DUT0 and check if output matches the following regular expressions:
1.1.1.0/24Show output
BGP table version is 2, local router ID is 10.10.0.100, vrf id 0 Default local pref 100, local AS 20 local address - Status codes: s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *ui 1.1.1.0/24 10.10.0.200 0 100 0 ? *ui 10.10.0.0/24 10.10.0.200 0 100 0 ? Displayed 2 routes and 2 total paths
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.10.0.100/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX1+/lJHbvx5lUlc9gKnt18lmu0aeX+l5sZA= set protocols bgp 20 neighbor peer remote-address 10.10.0.200 set protocols bgp 20 neighbor peer remote-as 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 1.1.1.1/24 set interfaces ethernet eth0 address 10.10.0.200/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX1+/lJHbvx5lUhUnGk8b5ZS+hwJeltJ9dro= set protocols bgp 20 neighbor peer remote-address 10.10.0.100 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 redistribute connected set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Attention
Verify iBGP session does NOT establish with mismatched encrypted-password.
Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:
10.10.0.200.*never.*(Connect|Active)Show output
IPv4 Unicast Summary: BGP router identifier 10.10.0.100, local AS number 20 VRF default vrf-id 0 BGP table version 0 RIB entries 0, using 0 bytes of memory Peers 1, using 24 KiB of memory Neighbor LocalAddr V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State PfxRcd PfxSnt Desc 10.10.0.200 10.10.0.100 4 20 0 0 0 0 0 never Connect 0 0 N/A Total number of neighbors 1
Attention
Verify DUT0 does NOT receive route 1.1.1.0/24.
Step 4: Run command protocols bgp show ip at DUT0 and check if output does not match the following regular expressions:
1.1.1.0/24Show output
No BGP prefixes displayed, 0 exist
Example 4
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.10.0.100/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX1+/lJHbvx5lUlc9gKnt18lmu0aeX+l5sZA= set protocols bgp 20 neighbor peer remote-address 10.10.0.200 set protocols bgp 20 neighbor peer remote-as 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 1.1.1.1/24 set interfaces ethernet eth0 address 10.10.0.200/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX1+/lJHbvx5lUlc9gKnt18lmu0aeX+l5sZA= set protocols bgp 20 neighbor peer remote-address 10.10.0.100 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 redistribute connected set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Attention
Verify iBGP session establishes with matching encrypted-password.
Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:
10.10.0.200.*EstablishedShow output
IPv4 Unicast Summary: BGP router identifier 10.10.0.100, local AS number 20 VRF default vrf-id 0 BGP table version 2 RIB entries 3, using 384 bytes of memory Peers 1, using 24 KiB of memory Neighbor LocalAddr V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State PfxRcd PfxSnt Desc 10.10.0.200 10.10.0.100 4 20 5 4 2 0 0 00:00:02 Established 2 0 FRRouting/10.4.1 Total number of neighbors 1
Attention
Verify DUT0 receives route 1.1.1.0/24 from DUT1.
Step 4: Run command protocols bgp show ip at DUT0 and check if output matches the following regular expressions:
1.1.1.0/24Show output
BGP table version is 2, local router ID is 10.10.0.100, vrf id 0 Default local pref 100, local AS 20 local address - Status codes: s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *>i 1.1.1.0/24 10.10.0.200 0 100 0 ? *>i 10.10.0.0/24 10.10.0.200 0 100 0 ? Displayed 2 routes and 2 total paths