During BGP MD5 key change, TCP session goes down

This article describes the version different behavior about BGP Message Digest 5 (MD5) changes by neighbor authentication-key.

BGP MD5 is an important feature to protect the sessions, or filter unwanted session packets. Company policy sometimes requires changing BGP MD5 regularly. The change window should not show any TCP session drop. However, the following syslog message is logged, showing that the TCP session is immediately dropped.

Junos OS should initialize the authentication database to establish TCP session for new MD5 key, so it drops TCP session to establish for new MD5 key. Here is an example showing how it drops.

Topology

BGP session established

Changed MD5 key on R2

When R1 changes the MD5 key under state pre-established by MD5 key, R1 sends out BGP notification code 6 (Cease) subcode 3 (Peer Unconfigured) to R2. R2 then drops the BGP session.

You can find out what any BGP error code indicates at the following URL: https://www.iana.org/assignments/bgp-parameters/bgp-parameters.xhtml#bgp-parameters-3

In version 12.3R, the BGP session does not disconnect the neighbor immediately, even though BGP MD5 changes. It holds the session until the timer expires. Please see the following syslog message.

This behavior makes MD5 changes more flexible without any TCP drops. Of course as long as you change until BGP hold timer expire. The best practice is to modify the MD5 quickly until BGP session expires.

Tested version 12.3R1.7

 

About the author

Prasanna

Leave a Comment