TCP-AO is a new authentication method proposed through RFC5925, The TCP Authentication Option to enhance the security and authenticity of TCP segments exchanged during BGP.
It supports both IPv4 and IPv6 traffic
Benefits of TCP-AO
Support multiple stronger algorithms, such as HMAC-SHA1 and AES-128 to create an internal traffic key and message digest.
Add a new user-configured key to re-generate internal traffic keys for an established connection and a mechanism to synchronize key change between BGP peers
Nokia Configuration
/configure system security
keychain "aes-128-cmac-96-keychain"
tcp-option-number
send tcp-ao
receive tcp-ao
exit
direction
uni
send
entry 20 key “key”algorithm aes-128-cmac-96
begin-time 2023/04/03 08:22:32 UTC
exit
exit
receive
entry 10 key “key” algorithm aes-128-cmac-96
begin-time 2023/04/03 08:23:24 UTC
exit
exit
exit
exit
no shutdown
exit
Apply the TCP AO authentication under BGP neighbor or Group
/configure router bgp group "juniper"
type external
local-as 100
neighbor 192.168.0.2
auth-keychain "aes-128-cmac-96-keychain"
exit
exit
Juniper Configuration#
security {
authentication-key-chains {
key-chain nokia {
tolerance 30;
key 10 {
secret "$9$vxA87Vg4ZiqfDi/t0OSy7-Vb2aZGiq.5"; ## SECRET-DATA
start-time "2023-2-1.00:00:00 +0000";
algorithm ao;
ao-attribute {
send-id 10;
recv-id 20;
tcp-ao-option enabled;
cryptographic-algorithm aes-128-cmac-96;
}
}
Apply the TCP AO authentication under BGP neighbor or Group
set protocols bgp group nokia authentication-algorithm ao
Cisco XR Configuration#
key chain AS300
key 0
accept-lifetime 00:00:00 april 01 2023 infinite
key-string password 0701245859060B0E1B1309
send-lifetime 00:00:00 april 01 2023 infinite
cryptographic-algorithm MD5
!
!
key chain AS300
key 1
accept-lifetime 00:00:00 april 01 2023 infinite
key-string password 0701245859060B0E1B1309
send-lifetime 00:00:00 april 01 2023 infinite
cryptographic-algorithm MD5
!
!
router bgp 300
neighbor 192.168.1.1
keychain AS300
!
