Secure BGP Session Configuration

Platform-specific guides for implementing secure multi-hop BGP

This guide provides production-ready configurations for establishing secure multi-hop BGP sessions on Cisco, Juniper, and MikroTik platforms. Each example implements authentication, filtering, and protection mechanisms to ensure maximum security.

Core Security Principles

All secure BGP configurations should implement these essential protections:

  • Authentication: MD5 or TCP-AO to prevent session hijacking
  • Prefix Filtering: Strict control of accepted and advertised routes
  • AS-path Filtering: Validation of route origins
  • Maximum Prefix Limits: Protection against route table overflow
  • TTL Security (GTSM): Protection against remote attacks
Cisco IOS/IOS-XE Juniper JunOS MikroTik RouterOS

🔷 Cisco IOS / IOS-XE Configuration

Complete secure multi-hop BGP configuration for Cisco routers including authentication, filtering, and protection mechanisms.

Basic Secure BGP Configuration

! ========================================
! CISCO SECURE MULTI-HOP BGP CONFIGURATION
! ========================================

! Configure BGP process
router bgp 65001
 bgp log-neighbor-changes
 bgp bestpath as-path multipath-relax
 
 ! Configure neighbor with security
 neighbor 192.0.2.1 remote-as 65002
 neighbor 192.0.2.1 description Multihopix Route Server
 neighbor 192.0.2.1 ebgp-multihop 255
 neighbor 192.0.2.1 password MySecureP@ssw0rd123
 neighbor 192.0.2.1 ttl-security hops 254
 neighbor 192.0.2.1 update-source Loopback0
 
 ! Apply filters and limits
 neighbor 192.0.2.1 prefix-list ALLOW-IN in
 neighbor 192.0.2.1 prefix-list ALLOW-OUT out
 neighbor 192.0.2.1 filter-list 1 in
 neighbor 192.0.2.1 maximum-prefix 1000 80 restart 30
 
 ! Activate address families
 address-family ipv4
  neighbor 192.0.2.1 activate
  neighbor 192.0.2.1 soft-reconfiguration inbound
 exit-address-family
 
 address-family ipv6
  neighbor 192.0.2.1 activate
  neighbor 192.0.2.1 soft-reconfiguration inbound
 exit-address-family

! ========================================
! PREFIX FILTERING
! ========================================

! Inbound prefix filter - what we accept
ip prefix-list ALLOW-IN seq 10 permit 192.168.113.0/24
ip prefix-list ALLOW-IN seq 20 permit 192.168.100.0/24
ip prefix-list ALLOW-IN seq 30 deny 0.0.0.0/0 le 32

! Outbound prefix filter - what we advertise
ip prefix-list ALLOW-OUT seq 10 permit 192.0.2.0/24
ip prefix-list ALLOW-OUT seq 20 deny 0.0.0.0/0 le 32

! ========================================
! AS-PATH FILTERING
! ========================================

! AS-path filter to prevent spoofing
ip as-path access-list 1 permit ^65002_
ip as-path access-list 1 permit ^65002$
ip as-path access-list 1 deny .*

! ========================================
! ROUTE-MAP FOR ADVANCED FILTERING
! ========================================

route-map BGP-IN permit 10
 match ip address prefix-list ALLOW-IN
 match as-path 1
 set local-preference 200
!
route-map BGP-IN deny 100
!
route-map BGP-OUT permit 10
 match ip address prefix-list ALLOW-OUT
!
route-map BGP-OUT deny 100

! Apply route-maps to neighbor
router bgp 65001
 neighbor 192.0.2.1 route-map BGP-IN in
 neighbor 192.0.2.1 route-map BGP-OUT out

! ========================================
! VERIFICATION COMMANDS
! ========================================

! Verify BGP session status
! show ip bgp summary
! show ip bgp neighbors 192.0.2.1

! Verify authentication is working
! show ip bgp neighbors 192.0.2.1 | include password

! Check received routes
! show ip bgp neighbors 192.0.2.1 routes

! Verify filters are applied
! show ip bgp neighbors 192.0.2.1 | include filter

Enhanced Security with TCP-AO (IOS-XE 17.x+)

! TCP Authentication Option (stronger than MD5)
key chain BGP-KEYCHAIN
 key 1
  key-string MyStrongTCP-AOKey2024!
  cryptographic-algorithm hmac-sha-256
  
router bgp 65001
 neighbor 192.0.2.1 password key-chain BGP-KEYCHAIN

RPKI Configuration for Route Origin Validation

! Configure RPKI validator
router bgp 65001
 bgp rpki server tcp 192.0.2.100 port 8282 refresh 600
 
 address-family ipv4
  bgp bestpath prefix-validate allow-invalid
  
! Filter based on RPKI validation
route-map BGP-IN permit 10
 match rpki valid
 set local-preference 200
!
route-map BGP-IN permit 20
 match rpki not-found
 set local-preference 150
!
route-map BGP-IN permit 30
 match rpki invalid
 set local-preference 50

🔶 Juniper JunOS Configuration

Complete secure multi-hop BGP configuration for Juniper routers with comprehensive security policies.

Basic Secure BGP Configuration

# ========================================
# JUNIPER SECURE MULTI-HOP BGP CONFIGURATION
# ========================================

# Configure BGP group and neighbor
set protocols bgp group MULTIHOPIX type external
set protocols bgp group MULTIHOPIX multihop ttl 255
set protocols bgp group MULTIHOPIX local-address 10.0.0.1
set protocols bgp group MULTIHOPIX authentication-key "MySecureP@ssw0rd123"
set protocols bgp group MULTIHOPIX export BGP-EXPORT
set protocols bgp group MULTIHOPIX import BGP-IMPORT
set protocols bgp group MULTIHOPIX peer-as 65002

# Configure specific neighbor
set protocols bgp group MULTIHOPIX neighbor 192.0.2.1 description "Multihopix Route Server"
set protocols bgp group MULTIHOPIX neighbor 192.0.2.1 family inet unicast prefix-limit maximum 1000
set protocols bgp group MULTIHOPIX neighbor 192.0.2.1 family inet unicast prefix-limit teardown 80
set protocols bgp group MULTIHOPIX neighbor 192.0.2.1 family inet6 unicast prefix-limit maximum 500

# ========================================
# PREFIX FILTERING
# ========================================

# Inbound prefix filter
set policy-options prefix-list ALLOWED-PREFIXES-IN 192.168.113.0/24
set policy-options prefix-list ALLOWED-PREFIXES-IN 192.168.100.0/24

# Outbound prefix filter
set policy-options prefix-list ALLOWED-PREFIXES-OUT 192.0.2.0/24

# ========================================
# AS-PATH FILTERING
# ========================================

# AS-path regular expressions for validation
set policy-options as-path VALID-AS-PATH "^65002 "
set policy-options as-path VALID-AS-PATH "^65002$"

# ========================================
# IMPORT POLICY (INBOUND)
# ========================================

set policy-options policy-statement BGP-IMPORT term ACCEPT-VALID from prefix-list ALLOWED-PREFIXES-IN
set policy-options policy-statement BGP-IMPORT term ACCEPT-VALID from as-path VALID-AS-PATH
set policy-options policy-statement BGP-IMPORT term ACCEPT-VALID then local-preference 200
set policy-options policy-statement BGP-IMPORT term ACCEPT-VALID then accept

set policy-options policy-statement BGP-IMPORT term DENY-ALL then reject

# ========================================
# EXPORT POLICY (OUTBOUND)
# ========================================

set policy-options policy-statement BGP-EXPORT term ADVERTISE from prefix-list ALLOWED-PREFIXES-OUT
set policy-options policy-statement BGP-EXPORT term ADVERTISE then accept

set policy-options policy-statement BGP-EXPORT term DENY-ALL then reject

# ========================================
# TTL SECURITY (GTSM)
# ========================================

set protocols bgp group MULTIHOPIX neighbor 192.0.2.1 ttl 255
set protocols bgp group MULTIHOPIX neighbor 192.0.2.1 multihop ttl 255

# ========================================
# ADVANCED SECURITY OPTIONS
# ========================================

# Log neighbor state changes
set protocols bgp group MULTIHOPIX log-updown

# Graceful restart for stability
set protocols bgp group MULTIHOPIX graceful-restart

# BFD for fast failure detection
set protocols bgp group MULTIHOPIX neighbor 192.0.2.1 bfd-liveness-detection minimum-interval 300
set protocols bgp group MULTIHOPIX neighbor 192.0.2.1 bfd-liveness-detection multiplier 3

# ========================================
# VERIFICATION COMMANDS
# ========================================

# show bgp summary
# show bgp neighbor 192.0.2.1
# show route receive-protocol bgp 192.0.2.1
# show route advertising-protocol bgp 192.0.2.1
# show policy BGP-IMPORT
# show policy BGP-EXPORT

RPKI Configuration (JunOS)

# Configure RPKI session
set routing-options validation group RPKI-VALIDATORS session 192.0.2.100 port 8282
set routing-options validation group RPKI-VALIDATORS session 192.0.2.100 refresh-time 600
set routing-options validation group RPKI-VALIDATORS session 192.0.2.100 local-address 10.0.0.1

# Use RPKI in import policy
set policy-options policy-statement BGP-IMPORT term RPKI-VALID from protocol bgp
set policy-options policy-statement BGP-IMPORT term RPKI-VALID from validation-database valid
set policy-options policy-statement BGP-IMPORT term RPKI-VALID then local-preference 200
set policy-options policy-statement BGP-IMPORT term RPKI-VALID then accept

set policy-options policy-statement BGP-IMPORT term RPKI-INVALID from validation-database invalid
set policy-options policy-statement BGP-IMPORT term RPKI-INVALID then local-preference 50
set policy-options policy-statement BGP-IMPORT term RPKI-INVALID then accept

# Verify RPKI
# show validation session
# show validation database

BGP Authentication with TCP-AO

# Configure TCP-AO (stronger than MD5)
set security authentication-key-chains key-chain BGP-CHAIN key 1 secret "MyStrongTCP-AOKey2024!"
set security authentication-key-chains key-chain BGP-CHAIN key 1 algorithm hmac-sha-256

set protocols bgp group MULTIHOPIX authentication-key-chain BGP-CHAIN

🔴 MikroTik RouterOS Configuration

Complete secure multi-hop BGP configuration for MikroTik routers with available security features.

Basic Secure BGP Configuration

# ========================================
# MIKROTIK SECURE MULTI-HOP BGP CONFIGURATION
# ========================================

# Create BGP instance
/routing bgp template
set default as=65001 disabled=no router-id=10.0.0.1

# Configure BGP peer with authentication
/routing bgp connection
add name=multihopix-peer \
    remote.address=192.0.2.1/32 \
    remote.as=65002 \
    multihop=yes \
    tcp-md5-key="MySecureP@ssw0rd123" \
    local.role=ebgp \
    output.default-originate=never \
    templates=default \
    comment="Multihopix Route Server"

# ========================================
# PREFIX FILTERING
# ========================================

# Create address lists for filtering
/ip firewall address-list
add list=BGP-ALLOWED-IN address=192.168.113.0/24 comment="Allowed inbound prefix"
add list=BGP-ALLOWED-IN address=192.168.100.0/24 comment="Allowed inbound prefix"
add list=BGP-ALLOWED-OUT address=192.0.2.0/24 comment="Allowed outbound prefix"

# ========================================
# ROUTE FILTERS (INPUT)
# ========================================

# Accept only allowed prefixes inbound
/routing filter rule
add chain=BGP-IN \
    rule="if (dst in 192.168.113.0/24) {accept}"
add chain=BGP-IN \
    rule="if (dst in 192.168.100.0/24) {accept}"
add chain=BGP-IN \
    rule="reject"

# ========================================
# ROUTE FILTERS (OUTPUT)
# ========================================

# Advertise only allowed prefixes outbound
/routing filter rule
add chain=BGP-OUT \
    rule="if (dst in 192.0.2.0/24) {accept}"
add chain=BGP-OUT \
    rule="reject"

# ========================================
# APPLY FILTERS TO CONNECTION
# ========================================

/routing bgp connection
set multihopix-peer \
    input.filter=BGP-IN \
    output.filter-chain=BGP-OUT

# ========================================
# AS-PATH FILTERING
# ========================================

# Filter based on AS-path
/routing filter rule
add chain=BGP-IN \
    rule="if (bgp-as-path-length == 1 && bgp-as-path ~\"^65002\") {set bgp-local-pref 200; accept}"
add chain=BGP-IN \
    rule="if (bgp-as-path-length == 2 && bgp-as-path ~\"^65002 \") {set bgp-local-pref 150; accept}"

# ========================================
# MAXIMUM PREFIX PROTECTION
# ========================================

# Note: MikroTik doesn't have built-in max-prefix
# Monitor via script instead
/system script
add name=bgp-prefix-monitor source={
:local maxPrefixes 1000
:local currentPrefixes [/routing/route/print count-only where bgp]
:if (\$currentPrefixes > \$maxPrefixes) do={
    /routing bgp connection disable multihopix-peer
    /log warning "BGP: Prefix limit exceeded - session disabled"
}
}

# Schedule script to run every 5 minutes
/system scheduler
add name=bgp-monitor interval=5m on-event=bgp-prefix-monitor

# ========================================
# FIREWALL RULES FOR BGP SECURITY
# ========================================

# Accept BGP only from specific peer
/ip firewall filter
add chain=input protocol=tcp dst-port=179 \
    src-address=192.0.2.1 \
    action=accept \
    comment="Allow BGP from Multihopix"

add chain=input protocol=tcp dst-port=179 \
    action=drop \
    comment="Drop all other BGP"

# ========================================
# VERIFICATION COMMANDS
# ========================================

# /routing bgp session print detail
# /routing bgp advertisements print
# /routing route print where bgp
# /routing filter rule print
# /log print where topics~"bgp"

TTL Security for MikroTik

# TTL Security via firewall (MikroTik approach)
/ip firewall filter
add chain=input protocol=tcp dst-port=179 \
    src-address=192.0.2.1 \
    ttl=equal:255 \
    action=accept \
    comment="BGP TTL Security - accept only TTL 255"

add chain=input protocol=tcp dst-port=179 \
    src-address=192.0.2.1 \
    action=drop \
    comment="BGP TTL Security - drop other TTL values"

Monitoring and Logging

# Enable detailed BGP logging
/system logging
add topics=bgp action=memory
add topics=bgp action=disk

# Create monitoring script
/system script
add name=bgp-status-check source={
:local bgpState [/routing bgp connection get multihopix-peer value-name=state]
:if (\$bgpState != "established") do={
    /log warning "BGP session not established - current state: \$bgpState"
}
}

# Run every minute
/system scheduler
add name=bgp-status interval=1m on-event=bgp-status-check

Security Best Practices Checklist

  • Enable MD5 or TCP-AO authentication on all BGP sessions
  • Configure strict prefix filters for both inbound and outbound
  • Implement AS-path filtering to validate route origins
  • Set maximum prefix limits appropriate for each peer
  • Enable TTL security (GTSM) where supported
  • Use RPKI validation if available on your platform
  • Log all BGP events for security monitoring
  • Regularly review accepted and advertised routes
  • Test failover scenarios to ensure redundancy works
  • Document all configurations and keep them updated

Need Help Implementing These Configurations?

Our team can assist with customizing these configurations for your specific environment

Contact Our Technical Team

Additional Resources