BGP Labs: TCP-AO Protection of BGP Sessions

A few days after I published the EBGP session protection lab, Jeroen van Bemmel submitted a pull request that added TCP-AO support to netlab. Now that the release 1.6.3 is out, I could use it to build the Protect BGP Sessions with TCP Authentication Option (TCP-AO) lab exercise.

Note: TCP-AO is not yet supported by the Linux kernel, so you cannot use Cumulus Linux, FRR, or Arista cEOS for the external BGP routers. You will have to use virtual machines to run the lab, and you could choose between Arista EOS VM, Cisco CSR 1000v, or Nokia SR-OS (virtual machine running in a container).

keep reading


  1. It's not here yet, but TCP-AO support in Linux is getting closer.

  2. TCP-AO support has been merged into what is intended to become Linux 6.7 in a few months:

    1. Nice ;) Thanks for the pointer!

      Now we have to wait for it to appear in Ubuntu (so we can run cEOS/FRR/Cumulus containers or Ubuntu VMs with TCP-AO) and to be supported by cEOS and FRR.

      My bet would be on FRR being the first to get it implemented ;)

Add comment