© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Overview Establishing BGP Sessions

© 2005 Cisco Systems, Inc. All rights reserved. BGP v Outline Overview BGP Neighbor Discovery Establishing a BGP Session BGP Keepalives MD5 Authentication Summary

© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Neighbor Discovery BGP neighbors are not discovered; they must be configured manually. Configuration must be done on both sides of the connection. Both routers will attempt to connect to the other with a TCP session on port number 179. Only the session with the higher router-ID remains after the connection attempt. The source IP address of incoming connection attempts is verified against a list of configured neighbors.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Neighbor Discovery (Cont.) Small BGP Network

© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Neighbor Discovery (Cont.) Initially, all BGP sessions to the neighbors are idle.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v Establishing a BGP Session A TCP session is established when the neighbor becomes reachable. BGP Open messages are exchanged.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v Establishing a BGP Session (Cont.) The BGP Open message contains the following: BGP version number AS number of the local router Holdtime BGP router identifier Optional parameters

© 2005 Cisco Systems, Inc. All rights reserved. BGP v Establishing a BGP Session (Cont.) BGP neighbors steady state All neighbors shall be up (no state information).

© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Keepalives A TCP-based BGP session does not provide any means of verifying BGP neighbor presence: –Except when sending BGP traffic BGP needs an additional mechanism: –Keepalive BGP messages provide verification of neighbor existence. –Keepalive messages are sent every 60 seconds.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Keepalives (Cont.) Keepalive interval value is not communicated in the BGP Open message. Keepalive value is selected as follows: –Configured value, if local holdtime is used –Configured value, if holdtime of neighbor is used and keepalive < (holdtime / 3) –Smaller integer in relation to (holdtime / 3), if holdtime of neighbor is used and keepalive > (holdtime / 3)

© 2005 Cisco Systems, Inc. All rights reserved. BGP v MD5 Authentication BGP peers may optionally use MD5 TCP authentication using a shared secret. Both routers must be configured with the same password (MD5 shared secret). Each TCP segment is verified.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v Summary With interior routing protocols, adjacent routers are usually discovered through a dedicated hello protocol. In BGP, neighbors must be manually configured to increase routing protocol security. BGP neighbors, once configured, establish a TCP session and exchange the BGP Open message, which contains the parameters that each BGP router proposes to use. BGP keepalives are used by the router to provide verification of the existence of a configured BGP neighbor. MD5 authentication can be configured on a BGP session to help prevent spoofing, DoS attacks, or man-in-the-middle attacks.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v