© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1

BGP Overview

Establishing BGP Sessions

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-2

Outline

• Overview • BGP Neighbor Discovery• Establishing a BGP Session• BGP Keepalives• MD5 Authentication• Summary

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-3

BGP Neighbor Discovery

• BGP neighbors are not discovered; they must be configured manually.

• Configuration must be done on both sides of the connection.• Both routers will attempt to connect to the other with a TCP

session on port number 179.• Only the session with the higher router-ID remains after the

connection attempt.• The source IP address of incoming connection attempts is

verified against a list of configured neighbors.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-4

BGP Neighbor Discovery (Cont.)

Small BGP Network

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-5

BGP Neighbor Discovery (Cont.)

Initially, all BGP sessions to the neighbors are idle.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-6

Establishing a BGP Session

• A TCP session is established when the neighbor becomes reachable.

• BGP Open messages are exchanged.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-7

Establishing a BGP Session (Cont.)

The BGP Open message contains the following:• BGP version number• AS number of the local router• Holdtime• BGP router identifier• Optional parameters

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-8

Establishing a BGP Session (Cont.)

BGP neighbors―steady state• All neighbors shall be up (no state information).

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-9

BGP Keepalives

• A TCP-based BGP session does not provide any means of verifying BGP neighbor presence:– Except when sending BGP traffic

• BGP needs an additional mechanism:– Keepalive BGP messages provide verification of neighbor

existence.– Keepalive messages are sent every 60 seconds.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-10

BGP Keepalives (Cont.)

• Keepalive interval value is not communicated in the BGP Open message.

• Keepalive value is selected as follows:– Configured value, if local holdtime is used– Configured value, if holdtime of neighbor is used and

keepalive < (holdtime / 3)– Smaller integer in relation to (holdtime / 3), if holdtime of

neighbor is used and keepalive > (holdtime / 3)

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-11

MD5 Authentication

• BGP peers may optionally use MD5 TCP authentication using a shared secret.

• Both routers must be configured with the same password (MD5 shared secret).

• Each TCP segment is verified.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-12

Summary

• With interior routing protocols, adjacent routers are usually discovered through a dedicated hello protocol. In BGP, neighbors must be manually configured to increase routing protocol security.

• BGP neighbors, once configured, establish a TCP session and exchange the BGP Open message, which contains the parameters that each BGP router proposes to use.

• BGP keepalives are used by the router to provide verification of the existence of a configured BGP neighbor.

• MD5 authentication can be configured on a BGPsession to help prevent spoofing, DoS attacks, or man-in-the-middle attacks.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-13