BGP Overview

Establishing BGP Sessions

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1

 Outline

• Overview
• BGP Neighbor Discovery
• Establishing a BGP Session
• BGP Keepalives
• MD5 Authentication
• Summary

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-2

 BGP Neighbor Discovery

• BGP neighbors are not discovered; they must be configured

manually.
• Configuration must be done on both sides of the connection.
• Both routers will attempt to connect to the other with a TCP
session on port number 179.
• Only the session with the higher router-ID remains after the
connection attempt.
• The source IP address of incoming connection attempts is
verified against a list of configured neighbors.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-3

 BGP Neighbor Discovery (Cont.)

Small BGP Network

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-4

 BGP Neighbor Discovery (Cont.)

Initially, all BGP sessions to the neighbors are idle.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-5

 Establishing a BGP Session
• A TCP session is established when the neighbor becomes
reachable.
• BGP Open messages are exchanged.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-6

 Establishing a BGP Session (Cont.)

The BGP Open message contains the following:

• BGP version number
• AS number of the local router
• Holdtime
• BGP router identifier
• Optional parameters

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-7

 Establishing a BGP Session (Cont.)

BGP neighbors―steady state

• All neighbors shall be up (no state information).

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-8

 BGP Keepalives

• A TCP-based BGP session does not provide any

means of verifying BGP neighbor presence:
– Except when sending BGP traffic
• BGP needs an additional mechanism:
– Keepalive BGP messages provide verification of neighbor
existence.
– Keepalive messages are sent every 60 seconds.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-9

 BGP Keepalives (Cont.)

• Keepalive interval value is not communicated in

the BGP Open message.
• Keepalive value is selected as follows:
– Configured value, if local holdtime is used
– Configured value, if holdtime of neighbor is used and
keepalive < (holdtime / 3)
– Smaller integer in relation to (holdtime / 3), if holdtime of
neighbor is used and keepalive > (holdtime / 3)

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-10

 MD5 Authentication

• BGP peers may optionally use MD5 TCP

authentication using a shared secret.
• Both routers must be configured with the same
password (MD5 shared secret).
• Each TCP segment is verified.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-11

 Summary

• With interior routing protocols, adjacent routers are

usually discovered through a dedicated hello protocol. In
BGP, neighbors must be manually configured to increase
routing protocol security.
• BGP neighbors, once configured, establish a TCP session
and exchange the BGP Open message, which contains the
parameters that each BGP router proposes to use.
• BGP keepalives are used by the router to provide
verification of the existence of a configured BGP neighbor.
• MD5 authentication can be configured on a BGP
session to help prevent spoofing, DoS attacks, or
man-in-the-middle attacks.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-12