MD5 session password

The easiest countermeasure against TCP based attacks on BGP sessions is to use MD5 protection as described in RFC2385. When implementing this, keep in mind to also implement some key (password) handling procedures (just imagine your router has to be replaced and you have to re-create all eBGP configurations).

Example for setting an MD5 password:

Arista EOSCisco IOS / FRRoutingMikrotikJuniperRtBrick RBFSBIRD 2/3Nokia SR OS classic CLI

router bgp 64500
   neighbor 198.51.100.1 password mysecretpassword

router bgp 64500
...
neighbor 198.51.100.1 password mysecretpassword

add name=AS64496 remote-as=64496 \
    remote-address=198.51.100.1 tcp-md5-key=mysecretpassword

set protocols bgp group <GROUPNAME> neighbor 198.51.100.1 authentication-key "mysecretpassword"

set instance <INSTANCE> tcp authentication <AUTHENTICATION-ID> type MD5
set instance <INSTANCE> tcp authentication <AUTHENTICATION-ID> key1-id 1
set instance <INSTANCE> tcp authentication <AUTHENTICATION-ID> key1-plain-text mysecretpassword
set instance <INSTANCE> protocol bgp peer ipv4 <PEER> <SOURCE> authentication-id <AUTHENTICATION-ID>

protocol bgp name4 {
  authentication md5;
  password "mysecretpassword";
}

/configure router "Base" bgp
    group "as64500"
        [...]
        authentication-key "mysecretpassword"
        [...]
    exit