Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

TCP Authentication Option advanced security measures

TCP Authentication Option advanced security measures

BGP incorporates TCP Authentication Option (TCP-AO) advanced security measures, which supports stronger algorithms, such as AES-128 CMAC and HMAC-SHA1. This integration bolsters the security of and enhances the reliability of BGP connections and contributes to the overall security of the internet.

To set the algorithm to AES-128 CMAC:
config router key-chain
    edit <name>
        config key
            edit <id>
                set algorithm cmac-aes128
            next
        end
    next
end
To select the key-chain with the TCP-AO in a neighbor or neighbor group:
config router bgp
    config {neighbor | neighbor-group}
        edit <ip>
            set auth-options <key-chain>
        end
    next
end
To debug the TCP authentication options:
diagnose sys tcp-auth-options

Example

In this example, the router BGP neighbor is configured to use the AES-128 CMAC algorithm.

To configure the router BGP to use the AES-128 CMAC algorithm:

  1. Configure the router key-chain to use the AES-128 CMAC algorithm:

    config router key-chain
    edit "11"
        config key
            edit "1"
                set accept-lifetime 01:01:01 01 01 2021 2147483646
                set send-lifetime 01:01:01 01 01 2021 2147483646
                set key-string **********
                set algorithm cmac-aes128
            next
        end
    next
end

  2. Apply the key-chain to the BGP neighbor or neighbor group:

    The key-chain is applied to the BGP neighbor with IP address 2.2.2.2.

    config router bgp
    set as 65412
    config neighbor
        edit "2.2.2.2"
            set auth-options "11"
        next
    end
end

  3. Verify that the router BGP is using the algorithm.

    The command output shows that BGP neighbor 2.2.2.2 is using the AES-128 CMAC algorithm. 

    # diagnose sys tcp-auth-options

VFID=0 send-id=1 recv-id=1 flags=0x784 keylen=6
alg=2(aes128) addr=2.2.2.2
send-begin: Fri Jan  1 01:01:01 2021
send-end: Wed Jan 19 04:15:07 2089
recv-begin: Fri Jan  1 01:01:01 2021
recv-end: Wed Jan 19 04:15:07 2089
Previous
Next

TCP Authentication Option advanced security measures

BGP incorporates TCP Authentication Option (TCP-AO) advanced security measures, which supports stronger algorithms, such as AES-128 CMAC and HMAC-SHA1. This integration bolsters the security of and enhances the reliability of BGP connections and contributes to the overall security of the internet.

To set the algorithm to AES-128 CMAC:
config router key-chain
    edit <name>
        config key
            edit <id>
                set algorithm cmac-aes128
            next
        end
    next
end
To select the key-chain with the TCP-AO in a neighbor or neighbor group:
config router bgp
    config {neighbor | neighbor-group}
        edit <ip>
            set auth-options <key-chain>
        end
    next
end
To debug the TCP authentication options:
diagnose sys tcp-auth-options

Example

In this example, the router BGP neighbor is configured to use the AES-128 CMAC algorithm.

To configure the router BGP to use the AES-128 CMAC algorithm:

  1. Configure the router key-chain to use the AES-128 CMAC algorithm:

    config router key-chain
    edit "11"
        config key
            edit "1"
                set accept-lifetime 01:01:01 01 01 2021 2147483646
                set send-lifetime 01:01:01 01 01 2021 2147483646
                set key-string **********
                set algorithm cmac-aes128
            next
        end
    next
end

  2. Apply the key-chain to the BGP neighbor or neighbor group:

    The key-chain is applied to the BGP neighbor with IP address 2.2.2.2.

    config router bgp
    set as 65412
    config neighbor
        edit "2.2.2.2"
            set auth-options "11"
        next
    end
end

  3. Verify that the router BGP is using the algorithm.

    The command output shows that BGP neighbor 2.2.2.2 is using the AES-128 CMAC algorithm. 

    # diagnose sys tcp-auth-options

VFID=0 send-id=1 recv-id=1 flags=0x784 keylen=6
alg=2(aes128) addr=2.2.2.2
send-begin: Fri Jan  1 01:01:01 2021
send-end: Wed Jan 19 04:15:07 2089
recv-begin: Fri Jan  1 01:01:01 2021
recv-end: Wed Jan 19 04:15:07 2089
Previous
Next