TCP AO configuration on Cisco, Juniper and Nokia SR - Interop Configuration

TCP-AO is a new authentication method proposed through RFC5925, The TCP Authentication Option to enhance the security and authenticity of TCP segments exchanged during BGP.

 It supports both IPv4 and IPv6 traffic


Benefits of TCP-AO




Support multiple stronger algorithms, such as HMAC-SHA1 and AES-128 to create an internal traffic key and message digest.

Add a new user-configured key to re-generate internal traffic keys for an established connection and a mechanism to synchronize key change between BGP peers

Nokia Configuration

/configure system security 

keychain "aes-128-cmac-96-keychain"

                tcp-option-number

                    send tcp-ao

                    receive tcp-ao

                exit

                direction

                    uni

                        send

                            entry 20 key “key”algorithm aes-128-cmac-96

                                begin-time 2023/04/03 08:22:32 UTC

                            exit

                        exit

                        receive       

                            entry 10 key “key” algorithm aes-128-cmac-96

                                begin-time 2023/04/03 08:23:24 UTC

                            exit

                        exit

                    exit

                exit

                no shutdown

            exit

Apply the TCP AO authentication under BGP neighbor or Group

/configure router bgp group "juniper"

                type external

                local-as 100

                neighbor 192.168.0.2

                 auth-keychain "aes-128-cmac-96-keychain"

                exit

            exit


Juniper Configuration#

security {                              

    authentication-key-chains {

        key-chain nokia {

            tolerance 30;

            key 10 {

                secret "$9$vxA87Vg4ZiqfDi/t0OSy7-Vb2aZGiq.5"; ## SECRET-DATA

                start-time "2023-2-1.00:00:00 +0000";

                algorithm ao;

                ao-attribute {

                    send-id 10;

                    recv-id 20;

                    tcp-ao-option enabled;

                    cryptographic-algorithm aes-128-cmac-96;

                }

            }

Apply the TCP AO authentication under BGP neighbor or Group

set protocols bgp group nokia authentication-algorithm ao


Cisco XR Configuration#

key chain AS300

 key 0

  accept-lifetime 00:00:00 april 01 2023 infinite

  key-string password 0701245859060B0E1B1309

  send-lifetime 00:00:00 april 01 2023 infinite

  cryptographic-algorithm MD5

 !

!

key chain AS300

 key 1

  accept-lifetime 00:00:00 april 01 2023 infinite

  key-string password 0701245859060B0E1B1309

  send-lifetime 00:00:00 april 01 2023 infinite

  cryptographic-algorithm MD5

 !

!

router bgp 300

 neighbor 192.168.1.1

  keychain AS300

 !



Comments

Post a Comment

Popular posts from this blog

Image
How to add Cisco IOU Image on Eve-ng Up and Running Step 1# Download Linux L2/L3 adventerprise Image  Step 2# Upload the downloaded image to the EVE path /opt/unetlab/addons/iol/bin/ using WinSCP or Filezilla Step 3# Fix the permission for the added image using the below command /opt/unetlab/wrappers/unl_wrapper -a fixpermissions Step 4# Create an iou keygen file Copy the Cisco IOU Image Script provided below and add to the script vim /opt/unetlab/addons/iol/bin/ioukeygen.py Esc:wq Step 5# Fix the permission for the Python script chmod –x vim /opt/unetlab/addons/iol/bin/ioukeygen.py Step 6# Run the license generator script  /opt/unetlab/addons/iol/bin/ioukeygen.py copy the license generated by the script Step 7# Create iourc license file for your EVE vim /opt/unetlab/addons/iol/bin/iourc Paste the output captured in Step 6 Step 8# Fix the permission and start practicing your lab by adding the image on eve-ng web /opt/unetlab/wrappers/unl_wrapper -a fixpermissions Cisco IOU Image Script
Read more

Configuration of the epipe/l2circuit on the Nokia 7750 SR/7250 IXR

Image
Epipe Configuration on Nokia 7750 SR This article explains how to configure epipe between Nokia SR routers. The Cisco term is referred to as xconnect and the juniper term is L2circuit. Basic Theories: Epipe name itself identifies it's a point-to-point connection that uses Ethernet encapsulation to pass data bits/bytes between two endpoints. Service provider core act as a layer 2 switch for customer traffic. In other words, this helps to extend the IP segment of the same subnet shared between 2 different locations. Topology: ISIS Level 2 and LDP are preconfigured. let's explore the setup to configure epipe and initiate traffic between the 2 sites. LDP is used to signal the Service label between end nodes participating in epipe. Nokia: SAP-MTU and Service MTU play an important role. To bring up the epipe between 2 end nodes we need to take care of Service-MTU and Sap port MTU. SAP-port MTU and Service MTU should be the same if the encapsulation is null. If the encapsulation is do
Read more

How to configure SFM/ Card/MDA in Nokia SR 7750/77XX series routers

Image
We going to discuss how to configure and bring up the Nokia chassis for the first-time installation like SFM, IOM/IMM Card, and MDA on Nokia 7750/77XX series router. SFM Card - Switch Fabric Module which is an internal backplane used to switch traffic between different slots on the router chassis. IMM -    Integrated Media Module which is your line card with a fixed number of media/ports IOM - Input/Output Module this type of card we can insert different types of media/ports based on the supported type by each Chassis. Let us explore how to identify and configure our Nokia SR series routers. 1. First find the SFM Type inserted on the Nokia Router. as per the output we need to configure  SFM5 to bring up the Switch fabric module A:SR1# configure sfm 1 sfm-type m-sfm5-12 Now SFM is configured let's find the Card Type using the "show card" command  *A:SR1# configure card 1 card-type "iom3-xp" Now, we are in the final phase to bring up the ports. check and configur
Read more