Shulou(Shulou.com)06/01 Report--

This article mainly explains "the scheme to strengthen BGP routing protocol security under Linux". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's take you to learn "the solution to strengthen BGP routing protocol security under Linux"!

ready

Hardening BGP session security is fairly simple and straightforward, and we'll use the following routers.

The popular Linux kernel natively supports TCP MD5 options for IPv4 and IPv6. So if you build a Quagga router from a brand new Linux machine, TCP's MD5 feature is automatically enabled. All that remains is to configure Quagga to use its features. However, if you are using a FreeBSD machine or building a custom kernel for Quagga, make sure that the kernel has MD5 support for TCP enabled (e.g. CONFIGTCPMD5SIG option in Linux).

Configure Router-A authentication functionality

We'll use Quagga's CLI Shell to configure the router, and the only new command we'll use is 'password'.

The code is as follows:

[root@router-a ~]# vtysh

router-a# conf t

router-a(config)# router bgp 100

router-a(config-router)# network 192.168.100.0/24

router-a(config-router)# neighbor 10.10.12.2 remote-as 200

router-a(config-router)# neighbor 10.10.12.2 password xmodulo

The pre-shared key used in this example is 'xmodulo.' Obviously, in a production environment, you need to choose a more robust key.

Note: In Quagga, the 'service password-encryption' command is used to encrypt all plaintext passwords (e.g. login passwords) in the configuration file. However, when I used this command, I noticed that the pre-shared key in the BGP configuration was still in plain text. I'm not sure if this is a limitation of Quagga or a problem with the version itself.

Configure Router-B authentication

We will configure router-B in a similar manner.

The code is as follows:

[root@router-b ~]# vtysh

router-b# conf t

router-b(config)# router bgp 200

router-b(config-router)# network 192.168.200.0/24

router-b(config-router)# neighbor 10.10.12.1 remote-as 100

router-b(config-router)# neighbor 10.10.12.1 password xmodulo

Verify BGP sessions

If everything is configured correctly, BGP sessions should be up and the two routers should be able to exchange routing tables. At this point, all outgoing packets in the TCP session carry an MD5 digest of the packet contents and a secret key, and the digest information is automatically verified by the other end.

We can verify active BGP sessions as usual by looking at BGP profiles. MD5 checksum validation is transparent inside Quagga, so you can't see it at the BGP level.

If you want to test BGP authentication, you can configure a neighbor route, set its password to null, or deliberately use the wrong pre-shared key, and see what happens. You can also use packet sniffers like tcpdump or Wireshark to analyze packets passing through BGP sessions. For example, tcpdump with the "-M " option validates the MD5 digest of the TCP options field.

At this point, I believe that everyone has a deeper understanding of the "scheme to strengthen BGP routing protocol security under Linux," so it is advisable to actually operate it! Here is the website, more related content can enter the relevant channels for inquiry, pay attention to us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.