Configuring IS-IS Authentication
After Intermediate System to Intermediate System (IS-IS) authentication is configured, authentication information can be encapsulated into Link State Protocol Data Units (LSPs) and Sequence Number Protocol Data Units (SNPs) to ensure the packet transmission security. By default, authentication is not configured for IS-IS. Configuring authentication is recommended to ensure system security.
Context
By default, sent IS-IS packets are not encapsulated with authentication information, and received packets are not authenticated. In order to avoid malicious text attack network, configuring IS-IS authentication helps to improve the network security. Three IS-IS authentication modes and the usage scenarios are as follows:
- Area authentication: Authentication passwords are encapsulated into IS-IS packets in Level-1 areas. The receiver only accepts the packets that have been authenticated. Therefore, you need to configure IS-IS area authentication to authenticate packets in Level-1 areas.
- Routing domain authentication: Authentication passwords are encapsulated into IS-IS packets in Level-2 areas. The receiver only accepts the packets that have been authenticated. Therefore, you need to configure IS-IS routing domain authentication to authenticate packets in Level-2 areas.
- Interface authentication: The authentication information is encapsulated into IS-IS Hello packets. The neighboring can establish a neighbor relationship with the local router after IS-IS Hello packets can be authenticated. Therefore, you need to configure interface authentication to ensure validity and correctness of neighbor relationships.
In configuring IS-IS authentication, the authentication modes and passwords of all devices in the same area or routing domain must be consistent. Otherwise, IS-IS packets cannot be normally flooded.
An IS-IS neighbor relationship cannot be established if interface authentication fails. An IS-IS neighbor relationship can be established regardless of whether IS-IS area or routing domain authentication succeeds.
When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in plaintext if you select the plaintext mode, which has a high risk. To ensure device security, change the password periodically.
Procedure
- Configure IS-IS area authentication.
- Configure an area authentication mode.
area-authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
or
area-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]
or
area-authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
After the area-authentication-mode command is run, IS-IS does not process the Level-1 LSPs in the local LSDB that fails to be authenticated or new Level-1 LSPs and SNPs that fail to be authenticated but discards them after they age.
Characters %#%# are used as the prefix and suffix of existing passwords with variable lengths. Therefore, characters %#%# cannot be configured together at the beginning or end of a simple text password.
IS-IS authentication involves the following situations:
- Authentication information is encapsulated in the sent LSPs and SNPs. The received LSPs and SNPs should pass the authentication, and the ones that do not pass the authentication are discarded. In this case, snp-packet or all-send-only is inapplicable.
- Authentication information is encapsulated in the sent LSPs and received LSPs are checked; however, authentication information is not encapsulated in the sent SNPs and the received SNPs are not checked. In this case, snp-packet authentication-avoid needs to be configured.
- Authentication information is encapsulated in the sent LSPs and SNPs. The received LSPs are checked and the received SNPs are not checked. In this case, snp-packet send-only needs to be configured.
- Authentication information is encapsulated in the sent LSPs and SNPs and the received LSPs and SNPs are not checked. In this case, all-send-only needs to be configured.
- Configure an area authentication mode.
- Configure IS-IS routing domain authentication.
- Configure the routing domain authentication mode.
domain-authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
or
domain-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]
or
domain-authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
After the domain-authentication-mode command is run, IS-IS does not process the Level-2 LSPs in the local LSDB that fail to be authenticated or new Level-2 LSPs and SNPs that fail to be authenticated but discards them after they age.
Characters %#%# are used as the prefix and suffix of existing passwords with variable lengths. Therefore, characters %#%# cannot be configured together at the beginning or end of a simple text password.
IS-IS authentication involves the following situations:
- Authentication information is encapsulated in the sent LSPs and SNPs. The received LSPs and SNPs should pass the authentication, and the ones that do not pass the authentication are discarded. In this case, snp-packet or all-send-only is inapplicable.
- Authentication information is encapsulated in the sent LSPs and received LSPs are checked; however, authentication information is not encapsulated in the sent SNPs and the received SNPs are not checked. In this case, snp-packet authentication-avoid needs to be configured.
- Authentication information is encapsulated in the sent LSPs and SNPs. The received LSPs are checked and the received SNPs are not checked. In this case, snp-packet send-only needs to be configured.
- Authentication information is encapsulated in the sent LSPs and SNPs and the received LSPs and SNPs are not checked. In this case, all-send-only needs to be configured.
- Configure the routing domain authentication mode.
- Configure IS-IS interface authentication.
- Set an IS-IS authentication mode and a password on the
interface.
isis authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
or
isis authentication-mode keychain keychain-name [ level-1 | level-2 ] [ send-only ]
or
isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
When you select parameters, note the following rules:
- If send-only is specified correctly, the router only encapsulates the sent Hello packets with authentication information rather than checks whether the received Hello packets pass authentication. The neighbor relationships can be set up when the authentication is not necessary or packets pass the authentication.
- If send-only is not configured, ensure that passwords of all interfaces with the same level in the same network are consistent.
- Level-1 areas and level-2 can be set only on Ethernet interfaces.
- When IS-IS interfaces are Level-1-2 interfaces and Level-1 areas or level-2 is not specified in the command, authentication modes and passwords are configured for both Level-1 areas and Level-2 Hello packets.
Characters %#%# are used as the prefix and suffix of existing passwords with variable lengths. Therefore, characters %#%# cannot be configured together at the beginning or end of a simple text password.
- Set an IS-IS authentication mode and a password on the
interface.