Protocol authentication
On the SR Linux, authentication of routing control messages for BGP, as well as other protocols such as LDP and IS-IS, is done using shared keys.
Message authentication between two routers involves sharing knowledge of a secret key and a cryptographic algorithm, such as MD5. This secret key, together with the message data, are used to generate a message digest. The message digest is added to each message transmitted by the sender and validated by the receiver, with the expectation that only a sender in possession of the secret key and algorithm details could generate the same message digest computed by the receiver of the message.
To limit exposure in the event a key is compromised, the secret key is changed at regular intervals using keys configured in a keychain. A keychain defines a list of one or more keys; each key is associated with a secret string, an algorithm identifier, and a start time.
When a protocol references a keychain for securing its messages with a set of peers, it uses the active key in the keychain with the most recent start time to generate the message digest in its sent messages, and it drops every received message that does not have an acceptable message digest.
Configuring protocol authentication
To configure protocol authentication, you configure an authentication keychain at the system level and configure a protocol to use the keychain. All protocol authentication is done using keychains. If a protocol requires authentication with a single neighbor using a single key, the key is configured within a keychain, and the protocol references the keychain.
Configure a keychain
The following example configures a keychain consisting of two keys.
--{ candidate shared default }--[ ]--
# info system authentication
system {
authentication {
keychain k1 {
key 1 {
admin-state enable
algorithm md5
authentication-key ZcvSElJzJx/wBZ9biCt
}
key 2 {
admin-state enable
algorithm md5
authentication-key e7xdKlYO2DOm7v3IJv
}
}
}
Configure BGP to use the keychain for protocol authentication
The following example configures BGP to use the keys in the keychain above for protocol authentication:
--{ candidate shared default }--[ ]--
# info network-instance default protocols bgp authentication
network-instance default {
protocols {
bgp {
authentication {
keychain k1
}
}
}
}
}