BGP 4 security

BGP is used for inter-domain routing, so it is a critical service for the Internet infrastructure. Therefore security aspect of BGP, with valid routing advertisement, is a high issue and the current system is highly vulnerable to human errors, as well as a wide range of attacks.

Filtering is currently the most used mechanism. Nevertheless complementary security features may be used to add security with BGP. Thus, in some cases MD5 authentication may be used to control BGP routing information advertisement, as described for RIP and OSPF.

BGP 4 filtering

Two types of BGP-4 filtering method exist:

Allows filtering on prefix basis,
AS-PATH access-list
Filters all networks in relation with a particular ASN.

Configuring a BGP-4 distribute list

  1. Configure the IPv4 access-list

    router{conf:myconfig-rtg}ip access-list ACCESS-LIST-NAME {permit|deny} A.B.C.D/M
  2. Apply this access-list to a neighbor:

    router{conf:myconfig-rtg-bgp}neighbor A.B.C.D distribute-list ACCESS-LIST-NAME {in|out}


The below IPv4 prefix-list should be preferred to the IPv4 access-lists.

Distribute-list configuration example

You can give a description to your access list by typing the command

router{conf:myconfig-rtg}ip access-list remark description

If we consider two BGP peers rt1 and rt2.

rt1 is advertising two networks and

  1. Filter the advertisement of on the rt1 router:

      ip access-list MY-LIST deny
      ip access-list MY-LIST permit any
    router bgp 65510
      neighbor remote-as 65520
      neighbor distribute-list MY-LIST out
  2. Check the BGP table on rt2 router:

    rt2{}show routing ip bgp
    BGP table version is 0, local router ID is
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i -IGP, e - EGP, ? - incomplete
       Network      Next Hop  Metric  LocPrf  Weight  Path
    *>       0               0  65510 i
    Total number of prefixes 1

    rt2 doesn’t see the prefix because it is filtered by rt1.

Introduction to the IPv4 prefix-lists

A prefix filter is more powerful than an access-list filter to process the network prefixes.

In comparison to access-list prefix-list have the following advantages:

  • Can process a range of values
  • Performance improvement in prefix lookup of large lists
  • More flexible

Prefix List Rules

Filtering by prefix list involves the following rules :

  • An empty prefix list permits all prefixes.
  • An implicit deny is assumed if a given prefix does not match any entries of a prefix list.
  • When multiple entries of a prefix list match a given prefix, the longest match is chosen.
  • The router prefix-list lookup begins at the top woth sequence number 1, if a match occurs then the router do not go through the rest of the prefix list.

The syntax to define a prefix filter is:

router{conf:myconfig-rtg}ip prefix-list BGP-FILTER-NAME seq N {permit|deny} PREFIX/M [ge A] [le B]
Sequence of the rule named BGP-FILTER-NAME.
Network prefix and M the length of the mask.
A and B

Optional integers up to 32 that can be used to form a block of prefixes. A, B and M are such as:

M < A

M < B

A ( B

M < A ( B ( 32


Let P1/m be a network prefix that matches PREFIX/M. For example PREFIX/M could be and P1/m could be

Moreover, if A and B are defined, P1/M matches this rule if M is greater or equal than A and if M is less or equal to B (A ( M ( B). For example matches the rule 5, however it does not match the rule 10.

rt2{myconfig-rtg}ip prefix-list PREFIX-FILTER-NAME seq 5 permit ge 17 le 25
rt2{myconfig-rtg}ip prefix-list PREFIX-FILTER-NAME seq 10 permit le 23

The IPv4 prefix lists can be used in many cases:

neighbor configuration:
         neighbor A.B.C.D prefix-list FILTER-NAME {in|out}
         match ip address prefix-list FILTER-NAME [2]_
display bgp (with filters):
         show ip bgp filter-list FILTER-NAME


  • The last command will be fully operational with the support of BGP 4 VPN and BGMP.
  • The command ‘match ip address’ can be used with an access-list too. However, you can check that the syntax is not exactly the same: match ip address prefix-list FILTER-NAME vs. match ip address ACCESS-LIST-NAME

Configuring a BGP-4 prefix list

  1. Define the prefix-list rule.

  2. Apply the prefix list rule to a neighbor:

    router{conf:myconfig-rtg-bgp}neighbor A.B.C.D prefix-list PREFIX-LIST-NAME {in|out}

Prefix-list configuration example

In this example we will configure prefix-list to allow an aggregate route while blocking the most specific route and vice versa i.e., allow the most specific route and block the aggregate route.

For example, let rt2 aggregate the prefixes to Moreover let’s block the prefixes that are longer than 25 bits.


Aggregation with suppressed prefixes, without the flag summary-only

In this example, router rt2 announces the prefixes,,, and Router rt1 is configured to receive only the aggregated prefix


router bgp 65520
  neighbor remote-as 65510

We configure router rt1 to accept only the aggregate prefix


ip prefix-list aggregate seq 5 permit
router bgp 65510
  neighbor remote-as 65520
  neighbor prefix-list aggregate in

If we look at the rt1 BGP table, there is only the aggregate network

rt1{}show routing ip bgp
BGP table version is 0, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i -IGP, e - EGP, ? - incomplete

    Network         Next Hop  Metric  LocPrf  Weight  Path
*>                       0  65520 i

Total number of prefixes 1

We can also check on rt1 the the prefix list called aggregate is applied on incoming updates

rt1{}show routing ip bgp neighbor

....output omitted

Incoming update prefix filter list is *aggregate
  1 accepted prefixes

If we suppose now that rt1 filters only the aggregate prefix, and let the specific prefixes, then the prefix list to configure is:

ip prefix-list specific seq 5 permit ge 23

We can check that only the specific routes are accepted:

rt1{}show routing ip bgp
BGP table version is 0, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i -IGP, e - EGP, ? - incomplete

    Network      Next Hop  Metric  LocPrf  Weight  Path
*>       0               0 65520 i
*>       0               0 65520 i
*>       0               0 65520 i
*>       0               0 65520 i

Total number of prefixes 4

Introduction to the communities filters

The attribute community permits to group destinations in a community and apply routing decisions. It is an optional, global transitive attribute in the numerical range of 1 to 4,294,967,200. Based on the community, you can control the routing information. In BGP there are some predefined well known communities which are:

The routes of this community must not be advertised to external peer.
The routes must not be advertised to any peer.
The routes may be advertised to any peer.
Used in confederation to avoid sending packets outside the local AS.


To set a community attribute it is recommended to use route-maps. In general, BGP community has the form of AS:NN where AS is the autonomous system number, and NN is a number.

The community attribute is sent to neighbors by default with the option both (standard and extended commnunity):

router{conf:myconfig-rtg-bgp}neighbor A.B.C.D send-community {both|extended|standard}
IP address of the remote BGP peer.
Send Standard and Extended Community attributes.
Send Standard Community attributes.
Send Extended Community attributes.
  • Check the community parameters:

    router{conf:myconfig-rtg-bgp}neighbor send-community
    router{}show routing ip bgp neighbors
      BGP neighbor is, remote AS 2, local AS 1, external link
      BGP version 4, remote router ID
      BGP state = Established, up for 00:00:09
      Last read 00:00:09, hold time is 180, keepalive interval is 60 seconds
      Neighbor capabilities:
        Route refresh: advertised and received(old & new)
        Address family IPv4 Unicast: advertised and received
      Message statistics:
        Inq depth is 0
        Outq depth is 0
                             Sent       Rcvd
        Opens:                  1          0
        Notifications:          0          0
        Updates:                1          0
        Keepalives:             2          1
        Route Refresh:          0          0
        Capability:             0          0
        Total:                  4          1
      Minimum time between advertisement runs is 30 seconds
    For address family: IPv4 Unicast
     Community attribute sent to this neighbor(both) <====="send-community both"
     0 accepted prefixes
  • Delete the community parameters:

    router{conf:myconfig-rtg-bgp}delete neighbor A.B.C.D send-community {both|extended|standard}

Community list

A community list is a group of rules which permit to filter or set attributes based on different lists of community numbers.

A community list is used in a match clause of a route map.

The syntax of community list is:

router{conf:myconfig-rtg}ip community-list community-list-number {permit|deny} community-number

BGP 4 Authentication

BGP 4 authentication is using MD5. This feature relies on the Operating System support for the TCP MD5 signature option as proposed in the RFC 2385. This OS option is used with the BSD-like configuration API.

The command format for BGP 4 MD5 is as follows:

router{conf:myconfig-rtg-bgp}neighbor A.B.C.D remote-as ASN
router{conf:myconfig-rtg-bgp}neighbor A.B.C.D password my-secret
IPv4 address of the remote BGP router.
ASN of the remote BGP router.
Password shared with the remote BGP router.

For information, when analyzing the BGP packets with the sniffer tethereal, it is possible to verify that the option is taken in account:

Host# tethereal -r bgpmd5.pcap -V
Transmission Control Protocol, Src Port: 32770 (32770), Dst Port: bgp
(179), Seq: 4043121790, Ack: 1396620414, Len: 19
                Source port: 32770 (32770)
                Destination port: bgp (179)
                Sequence number: 4043121790
                Next sequence number: 4043121809
                Acknowledgement number: 1396620414
                Header length: 52 bytes
                Flags: 0x0018 (PSH, ACK)
                    0... .... = Congestion Window Reduced (CWR): Not set
                    .0.. .... = ECN-Echo: Not set
                    ..0. .... = Urgent: Not set
                    ...1 .... = Acknowledgment: Set
                    .... 1... = Push: Set
                    .... .0.. = Reset: Not set
                    .... ..0. = Syn: Not set
                    .... ...0 = Fin: Not set
                Window size: 1460
                Checksum: 0x2cbe (correct)
                Options: (32 bytes)
                Time stamp: tsval 77100, tsecr 70634
                TCP MD5 signature
                Border Gateway Protocol
                KEEPALIVE Message
                Marker: 16 bytes
                Length: 19 bytes
                Type: KEEPALIVE Message (4)