Bluecat675
ā¢ Mar 13, 2026
Border Gateway Protocol (BGP) is the routing protocol that makes the internet work. A man-in-the-middle (MITM) attack on BGP can disrupt internet traffic, causing significant outages. Securing BGP is crucial for network stability.
TCP MD5 signature authentication adds a cryptographic hash to each BGP packet, ensuring that only peers with the correct key can establish and maintain a BGP session.
router bgp 65000
neighbor 192.168.1.2 password MY_SECRET_PASSWORD
!Replace 192.168.1.2 with the neighbor's IP address and MY_SECRET_PASSWORD with a strong, shared secret.
show ip bgp neighbors 192.168.1.2 | include MD5
!This command verifies that MD5 authentication is configured for the specified neighbor.
Route filtering prevents the acceptance of illegitimate routes, reducing the risk of route hijacking.
Define allowed prefixes using prefix lists.
ip prefix-list ALLOWED_PREFIXES seq 5 permit 10.0.0.0/8 le 24
!This example permits routes within the 10.0.0.0/8 range, up to a /24 subnet.
Apply prefix lists using route maps.
route-map FILTER_INBOUND permit 10
match ip address prefix-list ALLOWED_PREFIXES
!
router bgp 65000
neighbor 192.168.1.2 route-map FILTER_INBOUND in
!This configuration applies the FILTER_INBOUND route map to inbound routes from the neighbor 192.168.1.2.
BGPsec adds cryptographic signatures to BGP updates, ensuring the authenticity and integrity of the route information. This is more complex to implement but provides stronger security.
ROA allows you to validate that an Autonomous System (AS) is authorized to originate a specific prefix. This helps prevent AS path spoofing.
Know the answer? Login to help.
Login to Answer