How to Secure Junos Routing Protocols

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

One way to protect the routing protocols is to enable authentication so that the protocols accept traffic only from routers known to you. This approach ensures that only trusted routers contribute routes to the routing table and, hence, participate in determining how traffic is routed through your network.

You enable authentication for each routing protocol separately.

Secure Routing Information Protocol (RIP)

The most secure authentication RIP supports is MD5:

[edit protocols]
fred@router# set rip authentication-type md5
[edit protocols]
fred@router# set rip authentication-key key-string

MD5 creates an encoded checksum, which is verified by the receiving router before it accepts packets. You must configure the same password on all RIP routers on the network and the same authentication type. (RIP also lets you use a simple, unencrypted password for authentication.)

Secure IS-IS

IS-IS supports MD5 and a simple password authentication, which uses a clear-text, unencrypted password. When authentication is enabled, IS-IS validates that all LSPs are received from trusted routers.

Each IS-IS area can have its own encryption method and password. The following commands set encryption in the IS-IS Level 2 area:

[edit protocols]
fred@router# set isis level 2 authentication-type md5
[edit protocols]
fred@router# set isis level 2 authentication-key key-string

All routers within the same area must have the same authentication key.

Secure OSPF

OSPF also supports MD5 and a simple password authentication. When authentication is enabled, OSPF validates its Hello and LSA protocol packets.

The following command sets the OSPF encryption for an interface in an area, here the backbone area. For OSPF, you must set the encryption on each interface separately:

[edit protocols]
fred@router# set ospf area 0.0.0.0 interface interface-name authentication md5 
       1 key key-string

Routers will be able to form adjacencies only over interfaces with other routers that are configured to use the same authentication key for that network.

Authenticate BGP peers

BGP sessions are often the subject of external attacks on the network because the sessions are visible on the Internet. Enabling the authentication of the BGP packets exchanged by EBGP peers prevents the router from accepting unauthorized packets. For BGP, you also use MD5. Each BGP group can have its own authentication password:

[edit protocols]
fred@router# set bgp group group-name authentication-key key-string

You can also set individual authentication passwords between each BGP peer in an EBGP session:

[edit protocols]
fred@router# set bgp group group-name neighbor address authentication-key 
       key-string

The neighbor in an EBGP session is often in another AS, so you be sure to coordinate authentication methods and keys with the administrator of the external AS.

You can also enable authentication between IBGP peer routers. Even if the IBGP peers are all within your administrative domain and you know them to be trusted routers, it may be worth enabling authentication in order to prevent attempts to maliciously spoof these sessions.

Enable authentication on MPLS signaling protocols

You use a signaling protocol with MPLS — either LDP or RSVP — to allocate and distribute labels throughout an MPLS network. Enabling authentication for these two protocols ensures the security of the MPLS LSPs in the network.

Enabling authentication for LDP protects the TCP connection used for the LDP session against spoofing. Junos OS uses an MD5 signature for LDP authentication. You configure the same key (password) on both sides of the LDP session:

[edit protocols]
fred@router# set ldp session address authentication-key key-string

RSVP authentication ensures that RSVP traffic accepted by the router comes from trusted sources. RSVP uses MD5 authentication, and all peers on a common network segment must use the same authentication key (password) in order to communicate with each other:

[edit protocols]
fred@router# set rsvp interface interface authentication-key key-string