Which statement about BGP security mechanisms is true?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Master RIPE BGP Security with our comprehensive test. Understand the Border Gateway Protocol, explore multiple choice questions, and get ready for your exam with detailed hints and explanations.

Multiple Choice

Which statement about BGP security mechanisms is true?

Explanation:
BGP security mechanisms are about making sure routing information really comes from who it claims to come from and that the AS_PATH cannot be tampered with in transit. The true statement is that BGPSEC provides per-hop cryptographic validation of the AS_PATH to prevent spoofing. In BGPSEC, each autonomous system along a path signs the portion of the AS_PATH it contributes, and routers verify these signatures as updates are received. This creates a chain of trust for the path itself, so if any hop is forged or altered, the cryptographic validation detects it. That’s why this option is correct. The other ideas don’t hold up the same way. TCP-MD5 protects the integrity of the TCP session used by BGP, but it does not encrypt the BGP update payload or validate the AS_PATH; it mainly stops spoofed TCP connections from being established. ROAs (RPKI) validate whether the origin AS is authorized to announce a prefix, which helps confirm the origin, but it does not provide per-hop path validation or prevent all path spoofing on the AS_PATH by itself. TTLS isn’t a standard BGP security mechanism for per-hop encryption, and BGP does not rely on per-hop encryption in the way that option suggests; BGPSEC is the mechanism designed for authenticating the path itself rather than simply securing the transport layer.

BGP security mechanisms are about making sure routing information really comes from who it claims to come from and that the AS_PATH cannot be tampered with in transit. The true statement is that BGPSEC provides per-hop cryptographic validation of the AS_PATH to prevent spoofing. In BGPSEC, each autonomous system along a path signs the portion of the AS_PATH it contributes, and routers verify these signatures as updates are received. This creates a chain of trust for the path itself, so if any hop is forged or altered, the cryptographic validation detects it. That’s why this option is correct.

The other ideas don’t hold up the same way. TCP-MD5 protects the integrity of the TCP session used by BGP, but it does not encrypt the BGP update payload or validate the AS_PATH; it mainly stops spoofed TCP connections from being established. ROAs (RPKI) validate whether the origin AS is authorized to announce a prefix, which helps confirm the origin, but it does not provide per-hop path validation or prevent all path spoofing on the AS_PATH by itself. TTLS isn’t a standard BGP security mechanism for per-hop encryption, and BGP does not rely on per-hop encryption in the way that option suggests; BGPSEC is the mechanism designed for authenticating the path itself rather than simply securing the transport layer.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy