Internet development brings more frequent data, voice, and video information exchange over the Internet. New services, such as e-commerce, online conferencing and auctions, video on demand, and distance learning, emerge gradually. The new services have high requirements for network security. Carriers must guarantee that data packets are not monitored and modified by attackers and prohibit the access of unauthorized users. Intermediate System to Intermediate System (IS-IS) authentication applies to the area or interface where packets need to be protected to ensure packet transmission security. Using IS-IS authentication enhances system security and helps carriers provide safe network services.
Authentication Classification
Based on the types of packets, the authentication is classified as follows:
Interface authentication: is configured in the interface view to authenticate Level-1 and Level-2 IS-to-IS Hello PDUs (IIHs).
Area authentication: is configured in the IS-IS process view to authenticate Level-1 CSNPs, PSNPs, and LSPs.
Routing domain authentication: is configured in the IS-IS process view to authenticate Level-2 CSNPS, PSNPs, and LSPs.
Based on the authentication modes of packets, authentication is classified into the following types:
Explicit authentication: is an explicit authentication mode in which passwords are directly added to packets. The security of explicit text authentication is poorer than the other two authentication types.
MD5 authentication: uses the MD5 algorithm to encrypt a password before adding the password to the packet, which improves password security.
Keychain authentication: further improves network security with configurable key chain that changes with time.
HMAC-SHA256 authentication: uses the HMAC-SHA256 algorithm to encrypt a password before adding the password to the packet, which improves password security.
IS-IS authentication encrypts IS-IS packets by adding the authentication field to packets to ensure network security. After receiving IS-IS packets from a remote router, a local router discards the packets if the authentication passwords in the packets are different from the locally configured authentication password. This mechanism protects the local router.
IS-IS provides a type-length-value (TLV) to carry authentication information. The TLV components are as follows:
Type: indicates the type of a packet, which is 1 byte. The value defined by ISO is 10, while the value defined by IP is 133.
Length: indicates the length of the authentication TLV, which is 1 byte.
Value: indicates the contents of the authentication, including authentication type and authenticated password, which ranges from 1 to 254 bytes.
0 is reserved.
1 indicates explicit authentication.
3 indicates the general authentication, and only HMAC-SHA256 authentication is supported currently.
54 indicates MD5 authentication.
255 is used to route domain private authentication methods.
Interface Authentication
Authentication passwords for IIHs are saved on interfaces. The interfaces send authentication packets with the authentication TLV. Interconnected router interfaces must be configured with the same password.
Area Authentication
Every router in an IS-IS area must use the same authentication mode and have the same key chain.
Routing Domain Authentication
Every Level-2 or Level-1-2 router in an IS-IS area must use the same authentication mode and have the same key chain.
For area authentication and routing domain authentication, you can set a router to authenticate SNPs and LSPs separately in the following ways:
A router sends LSPs and SNPs that carry the authentication TLV and verifies the authentication information of the LSPs and SNPs it receives.
A router sends LSPs that carry the authentication TLV and verifies the authentication information of the LSPs it receives. The router sends SNPs that carry the authentication TLV and does not verify the authentication information of the SNPs it receives.
A router sends LSPs that carry the authentication TLV and verifies the authentication information of the LSPs it receives. The router sends SNPs without the authentication TLV and does not verify the authentication information of the SNPs it receives.
A router sends LSPs and SNPs that carry the authentication TLV but does not verify the authentication information of the LSPs and SNPs it receives.