Protocol authentication

On the SR Linux, authentication of routing control messages for BGP, as well as other protocols such as LDP and IS-IS, is done using shared keys.

Message authentication between two routers involves sharing knowledge of a secret key and a cryptographic algorithm, such as MD5. This secret key, together with the message data, are used to generate a message digest. The message digest is added to each message transmitted by the sender and validated by the receiver, with the expectation that only a sender in possession of the secret key and algorithm details could generate the same message digest computed by the receiver of the message.

To limit exposure in the event a key is compromised, the secret key is changed at regular intervals using keys configured in a keychain. A keychain defines a list of one or more keys; each key is associated with a secret string, an algorithm identifier, and a start time.

When a protocol references a keychain for securing its messages with a set of peers, it uses the active key in the keychain with the most recent start time to generate the message digest in its sent messages, and it drops every received message that does not have an acceptable message digest.

Configuring protocol authentication

To configure protocol authentication, you configure an authentication keychain at the system level and configure a protocol to use the keychain. All protocol authentication is done using keychains. If a protocol requires authentication with a single neighbor using a single key, the key is configured within a keychain, and the protocol references the keychain.

Configure a keychain

The following example configures a keychain consisting of two keys.

--{ candidate shared default }--[  ]--
# info system authentication
    system {
        authentication {
            keychain k1 {
                key 1 {
                    admin-state enable
                    algorithm md5
                    authentication-key ZcvSElJzJx/wBZ9biCt
                }
                key 2 {
                    admin-state enable
                    algorithm md5
                    authentication-key e7xdKlYO2DOm7v3IJv
                }
            }
        }

Configure BGP to use the keychain for protocol authentication

The following example configures BGP to use the keys in the keychain above for protocol authentication:

--{ candidate shared default }--[  ]--
# info network-instance default protocols bgp authentication
    network-instance default {
        protocols {
            bgp {
                authentication {
                    keychain k1
                    }
                }
            }
        }
    }

Configure BGP to use a password without a keychain for protocol authentication

SR Linux supports configuring passwords without a keychain for authentication between BGP peers. You must configure the authentication with the same password on both BGP peers. Otherwise, the connection between them cannot be established .

The following example configures BGP to use a password without a keychain for protocol authentication:

--{ candidate shared default }--[  ]--
# info network-instance default protocols bgp authentication
    network-instance default {
        protocols {
            bgp {
                authentication {
                     password $aes$0K0SDPvDqXCU=$Cny0JELb0jmt8crznXsYzQ==
                    }
                }
            }
        }
    }

The following example illustrates the authentication password configuration at group level:

--{ candidate shared default }--[  ]--
# info network-instance default protocols bgp group Dut-C--Dut-D authentication  
    network-instance default {
        protocols {
            bgp {
                group Dut-C--Dut-D {
                    authentication {
                        password $aes$9GP/wMALbt+c=$C59vOvqPux/Ue5bTRvVzfQ==
                    }
                }
            }
        }
    }

The following example illustrates the authentication password configuration at neighbor level:

--{ candidate shared default }--[  ]--
# info network-instance default protocols bgp neighbor 3.4.0.1 authentication  
    network-instance default {
        protocols {
            bgp {
                neighbor 3.4.0.1 {
                    authentication {
                        password $aes$cJHWoYWwJVVU=$MOmvTOs2av5CGxBPdjVXuQ==
                    }
                }
            }
        }
    }