IBM Cloud Docs
Activating and deactivating BGP MD5 authentication

Activating and deactivating BGP MD5 authentication

You can activate BGP MD5 authentication when you create a Direct Link gateway, or after the gateway is provisioned. You can deactivate MD5 authentication at any time.

Authentication requirements and considerations

Make sure to review the following BGP MD5 authentication requirements and considerations:

  • You must configure the same BGP MD5 authentication key on both your Edge router and the IBM cross-connect router (XCR). The shared authentication key on the IBM device must be stored in your HPCS or Key Protect instance and shared with the Direct Link service. For more information, see Setting up BGP Message Digest 5 (MD5) authentication keys.
  • You can achieve hitless key refresh if the keys are updated on both your Edge router and on the XCR within 90 seconds. As a pre-condition, you must configure the BGP hold time on your router to a minimum of 90 seconds. All Direct Link routers have a 90-second configuration by default. Either side can initiate the key refresh, but both sides must refresh within the configured BGP hold time to avoid traffic disruption.
  • Activating and deactivating MD5, or changing the MD5 key on the IBM side after the BGP session is established, causes BGP session downtime and network disruption until the BGP peer device is configured with the same change.

Activating BGP MD5 authentication

To activate MD5 authentication on a provisioned gateway, follow these steps:

  1. Set up BGP Message Digest 5 (MD5) authentication keys.
  2. Log in to the Direct Link console, then click the Direct Link name in the table to show its details.
  3. Click the BGP tab, then click the MD5 authentication Deactivated switch to open the MD5 authentication window.
  4. Complete the following information:
    • For the keystore, select either Hyper Protect Crypto Services or Key Protect.
    • Select an authentication keystore instance.
    • Select an authentication key.
  5. Click Activate. The information is added to the details page and the switch shows Activated.

If you later want to edit BGP values, click Edit in the upper right of the BGP section.

Deactivating BGP MD5 authentication

To deactivate BGP MD5 authentication, follow these steps:

  1. Log in to the Direct Link console, then click the Direct Link name in the table to show its details.

  2. On the BGP tab, click the MD5 authentication Activated switch to show the Deactivate BGP MD5 authentication window.

  3. Enter the name of the key to confirm, then click Deactivate. Your key is removed in the process.

    The Details page is updated with your change.