BGP Support for TCP AO Overview
On a secure control plane, BGP uses Message Digest 5 (MD5) algorithm as the authentication mechanism. It uses the TCP API to configure the keychain on a TCP connection. When authentication is enabled, any Transmission Control Protocol (TCP) segments belonging to BGP are exchanged between peers, verified and then accepted only if authentication is successful. BGP application use the TCP API to configure the keychain on a TCP connection. It owns the configuration to associate a TCP-AO keychain name with a neighbor, a peer-group, or a peer-session template.
You can validate the authentication configuration per neighbor/peer-group/peer-session template. Authentication Option is supported for BGP dynamic neighbor, BGP Non-stop forwarding (NSF) and Non-stop routing (NSR). Routing protocols support a different set of cryptographic algorithms, however, BGP supports only MD5. For example, if BGP is configured with the TCP MD5 key (md5-key), it will not allow to configure TCP-AO and vice versa.There are two options to configure BGP:
-
include-tcp-options - option to specify if the TCP option headers (other than TCP AO option) will be included while computing the MAC digest of the packets.
-
accept-ao-mismatch-connections - option to accept the connection as non-TCP AO connection when receives a connection from peer without TCP AO option. Similarly, if the connection is initiated from one side, the peer acknowledges with TCP AO, it accepts the ACK and continues the connection.
Restrictions
-
Configuring and deconfiguring TCP AO for a certain neighbor or peer-group or peer-session causes existing established BGP session(s) to flap.
-
Do not change the configuration of an existing TCP key chain because existing BGP sessions may break.
-
TCP AO picks up the most valid key under the key chain. The most valid key is the one which has the longest send lifetime. If there are two keys with the same send lifetime, the first best key is selected.
-
In a configuration, where one of the devices is configured with the TCP MD5 option and the other with the TCP-AO option not supported, BGP session is not established between the devices until you correct the configuration.
-
After a session is established using a specific key chain, if you modify the key chain, the session ends, and an attempt is made to renegotiate the session based on the modified key chain.