© 2005 cisco systems, inc. all rights reserved. bgp v3.2—1-1 bgp overview establishing bgp...
DESCRIPTION
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-3 BGP Neighbor Discovery BGP neighbors are not discovered; they must be configured manually. Configuration must be done on both sides of the connection. Both routers will attempt to connect to the other with a TCP session on port number 179. Only the session with the higher router-ID remains after the connection attempt. The source IP address of incoming connection attempts is verified against a list of configured neighbors.TRANSCRIPT
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1
BGP Overview
Establishing BGP Sessions
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-2
Outline
• Overview • BGP Neighbor Discovery• Establishing a BGP Session• BGP Keepalives• MD5 Authentication• Summary
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-3
BGP Neighbor Discovery
• BGP neighbors are not discovered; they must be configured manually.
• Configuration must be done on both sides of the connection.• Both routers will attempt to connect to the other with a TCP
session on port number 179.• Only the session with the higher router-ID remains after the
connection attempt.• The source IP address of incoming connection attempts is
verified against a list of configured neighbors.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-4
BGP Neighbor Discovery (Cont.)
Small BGP Network
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-5
BGP Neighbor Discovery (Cont.)
Initially, all BGP sessions to the neighbors are idle.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-6
Establishing a BGP Session
• A TCP session is established when the neighbor becomes reachable.
• BGP Open messages are exchanged.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-7
Establishing a BGP Session (Cont.)
The BGP Open message contains the following:• BGP version number• AS number of the local router• Holdtime• BGP router identifier• Optional parameters
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-8
Establishing a BGP Session (Cont.)
BGP neighbors―steady state• All neighbors shall be up (no state information).
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-9
BGP Keepalives
• A TCP-based BGP session does not provide any means of verifying BGP neighbor presence:– Except when sending BGP traffic
• BGP needs an additional mechanism:– Keepalive BGP messages provide verification of neighbor
existence.– Keepalive messages are sent every 60 seconds.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-10
BGP Keepalives (Cont.)
• Keepalive interval value is not communicated in the BGP Open message.
• Keepalive value is selected as follows:– Configured value, if local holdtime is used– Configured value, if holdtime of neighbor is used and
keepalive < (holdtime / 3)– Smaller integer in relation to (holdtime / 3), if holdtime of
neighbor is used and keepalive > (holdtime / 3)
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-11
MD5 Authentication
• BGP peers may optionally use MD5 TCP authentication using a shared secret.
• Both routers must be configured with the same password (MD5 shared secret).
• Each TCP segment is verified.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-12
Summary
• With interior routing protocols, adjacent routers are usually discovered through a dedicated hello protocol. In BGP, neighbors must be manually configured to increase routing protocol security.
• BGP neighbors, once configured, establish a TCP session and exchange the BGP Open message, which contains the parameters that each BGP router proposes to use.
• BGP keepalives are used by the router to provide verification of the existence of a configured BGP neighbor.
• MD5 authentication can be configured on a BGPsession to help prevent spoofing, DoS attacks, or man-in-the-middle attacks.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-13