Windows Server claims that it is based on the latest BGP version 4 specification,
and has been tested for interoperability with third-party devices
(https://docs.microsoft.com/en-us/windows-server/remote/remote-access/bgp/border-gateway-protocol-bgp)
But looks like it does not support any kind of peer authentication. Asspecified in RFC 4271, this is a MUST:
Security Considerations.
A BGP implementation MUST support the authentication mechanism
specified in RFC 2385 [RFC2385]. The authentication provided by this
mechanism could be done on a per-peer basis.
BGP makes use of TCP for reliable transport of its traffic between
peer routers. To provide connection-oriented integrity and data
origin authentication on a point-to-point basis, BGP specifies use of
the mechanism defined in RFC 2385. These services are intended to
detect and reject active wiretapping attacks against the inter-router
TCP connections. Absent the use of mechanisms that effect these
security services, attackers can disrupt these TCP connections and/or
masquerade as a legitimate peer router. Because the mechanism
defined in the RFC does not provide peer-entity authentication, these
connections may be subject to some forms of replay attacks that will
not be detected at the TCP layer. Such attacks might result in
delivery (from TCP) of "broken" or "spoofed" BGP messages.Is Windows server really not support peer authentication mechanisms,
or this is just not mentioned in documentation?
↧
BGP peer authentication
↧