In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly explains "the scheme to strengthen BGP routing protocol security under Linux". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's take you to learn "the solution to strengthen BGP routing protocol security under Linux"!
ready
Hardening BGP session security is fairly simple and straightforward, and we'll use the following routers.
The popular Linux kernel natively supports TCP MD5 options for IPv4 and IPv6. So if you build a Quagga router from a brand new Linux machine, TCP's MD5 feature is automatically enabled. All that remains is to configure Quagga to use its features. However, if you are using a FreeBSD machine or building a custom kernel for Quagga, make sure that the kernel has MD5 support for TCP enabled (e.g. CONFIGTCPMD5SIG option in Linux).
Configure Router-A authentication functionality
We'll use Quagga's CLI Shell to configure the router, and the only new command we'll use is 'password'.
The code is as follows:
[root@router-a ~]# vtysh
router-a# conf t
router-a(config)# router bgp 100
router-a(config-router)# network 192.168.100.0/24
router-a(config-router)# neighbor 10.10.12.2 remote-as 200
router-a(config-router)# neighbor 10.10.12.2 password xmodulo
The pre-shared key used in this example is 'xmodulo.' Obviously, in a production environment, you need to choose a more robust key.
Note: In Quagga, the 'service password-encryption' command is used to encrypt all plaintext passwords (e.g. login passwords) in the configuration file. However, when I used this command, I noticed that the pre-shared key in the BGP configuration was still in plain text. I'm not sure if this is a limitation of Quagga or a problem with the version itself.
Configure Router-B authentication
We will configure router-B in a similar manner.
The code is as follows:
[root@router-b ~]# vtysh
router-b# conf t
router-b(config)# router bgp 200
router-b(config-router)# network 192.168.200.0/24
router-b(config-router)# neighbor 10.10.12.1 remote-as 100
router-b(config-router)# neighbor 10.10.12.1 password xmodulo
Verify BGP sessions
If everything is configured correctly, BGP sessions should be up and the two routers should be able to exchange routing tables. At this point, all outgoing packets in the TCP session carry an MD5 digest of the packet contents and a secret key, and the digest information is automatically verified by the other end.
We can verify active BGP sessions as usual by looking at BGP profiles. MD5 checksum validation is transparent inside Quagga, so you can't see it at the BGP level.
If you want to test BGP authentication, you can configure a neighbor route, set its password to null, or deliberately use the wrong pre-shared key, and see what happens. You can also use packet sniffers like tcpdump or Wireshark to analyze packets passing through BGP sessions. For example, tcpdump with the "-M " option validates the MD5 digest of the TCP options field.
At this point, I believe that everyone has a deeper understanding of the "scheme to strengthen BGP routing protocol security under Linux," so it is advisable to actually operate it! Here is the website, more related content can enter the relevant channels for inquiry, pay attention to us, continue to learn!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.