< Home

IS-IS/IS-ISv6

Overview

IS-IS/IS-ISv6 authentication is implemented based on an authentication field added to IS-IS packets. After receiving IS-IS packets from a remote routing device, a local routing device discards them if the authentication password is incorrect. This mechanism helps to protect the local routing device against attacks.

IS-IS provides a key chain mechanism which regularly changes the encryption keys and algorithms without interrupting services, securing data transmission.

Simple authentication in IS-IS/IS-ISv6 is not recommended because passwords in this mechanism are transferred in plaintext. In descending order of security, other authentication mechanisms are key chain, HMAC-SHA256, HMAC-MD5, and MD5 authentication.

To launch an attack, attackers can obtain Hello packets or LSPs from a network, construct attack packets that can be identified by IS-IS, and then send them to devices. Although devices can identify and discard the attack packets based on authentication information, they may also discard valid packets because they cannot process them immediately. This adversely affects network stability.

Impact on the System

None

Procedure

  • Configure IS-IS area authentication.

    The area authentication password is encapsulated into Level-1 area IS-IS packets. Only authenticated packets are accepted. To implement Level-1 area authentication, configure IS-IS area authentication.

    1. Enter the system view.

      system-view

    2. Enter the IS-IS view.

      isis process-id

    3. Configure any of the following IS-IS area authentication modes as required:

      • Configure simple authentication.
        area-authentication-mode simple { plain simple-plain | [ cipher ] simple-cipher } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
      • Configure HMAC-MD5 authentication.
        area-authentication-mode md5 { plain md5-plain | [ cipher ] md5-cipher } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
      • Configure keychain authentication.
        area-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]
      • Configure HMAC-SHA256 authentication.
        area-authentication-mode hmac-sha256 key-id key-id { plain md5-plain | [ cipher ] md5-cipher } [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      You can configure area authentication in any of the following ways:

      • Do not specify snp-packet or all-send-only. In this case, the device encapsulates authentication information in the LSPs and SNPs to be sent, authenticates received LSPs and SNPs, and discards the LSPs and SNPs that fail to be authenticated.

      • Specify snp-packet authentication-avoid. In this case, the device encapsulates authentication information in the LSPs to be sent and authenticates received LSPs. However, the device neither encapsulates authentication information in the SNPs to be sent nor authenticates received SNPs.

      • Specify snp-packet send-only. In this case, the device encapsulates authentication information both in the LSPs and SNPs to be sent, but authenticates only received LSPs (not received SNPs).

      • Specify all-send-only. In this case, the device encapsulates authentication information both in the LSPs and SNPs to be sent, but does not authenticate received LSPs or SNPs.

      • After the area-authentication-mode command is run, IS-IS does not process the Level-1 LSPs in the local LSDB that fail to be authenticated or new Level-1 LSPs and SNPs that fail to be authenticated but discards them after they age.
      • For security purposes, you are advised to use keychain or HMAC-SHA256 authentication instead of simple or MD5 authentication.

  • Configure IS-IS routing domain authentication.

    The routing domain authentication password is encapsulated into Level-2 area IS-IS packets. Only authenticated packets are accepted. To implement Level-2 area authentication, configure IS-IS routing domain authentication.

    1. Enter the system view.

      system-view

    2. Enter the IS-IS view.

      isis process-id

    3. Configure any of the following IS-IS routing domain authentication modes as required:

      • Configure simple authentication.
        domain-authentication-mode { simple { plain plain-text | cipher plain-text } | md5 { [ cipher ] plain-text | plain plain-text } }  [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
      • Configure HMAC-MD5 authentication.
        domain-authentication-mode { simple { plain plain-text | cipher plain-text } | md5 { [ cipher ] plain-text | plain plain-text } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
      • Configure keychain authentication.
        domain-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]
      • Configure HMAC-SHA256 authentication.
        domain-authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-text } [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      You can configure routing domain authentication in any of the following ways:

      • Do not specify snp-packet or all-send-only. In this case, the device encapsulates authentication information in the LSPs and SNPs to be sent, authenticates received LSPs and SNPs, and discards the LSPs and SNPs that fail to be authenticated.

      • Specify snp-packet authentication-avoid. In this case, the device encapsulates authentication information in the LSPs to be sent and authenticates received LSPs. However, the device neither encapsulates authentication information in the SNPs to be sent nor authenticates received SNPs.

      • Specify snp-packet send-only. In this case, the device encapsulates authentication information both in the LSPs and SNPs to be sent, but authenticates only received LSPs (not received SNPs).

      • Specify all-send-only. In this case, the device encapsulates authentication information both in the LSPs and SNPs to be sent, but does not authenticate received LSPs or SNPs.

      • After the domain-authentication-mode command is run, IS-IS discards the locally stored Level-2 LSPs that fail authentication and newly received Level-2 LSPs and SNPs that fail authentication after they are automatically aged. To prevent this configuration from causing packet loss, specify the send-only parameter.
      • Characters %#%# are used as the prefix and suffix of existing passwords with variable lengths. Therefore, characters %#%# cannot be configured together at the beginning or end of a simple text password.
      • For security purposes, you are advised to use keychain or HMAC-SHA256 authentication instead of simple or MD5 authentication.

  • Configure IS-IS interface authentication.

    Interface authentication ensures the validity and correctness of neighbor relationships by allowing interfaces to authenticate the IIHs they receive based on the authentication information carried in the IIHs. A neighbor relationship can be established between two ends only after the IIHs exchanged between them are authenticated by each other.

    1. Enter the system view.

      system-view

    2. Enter the interface view.

      interface interface-type interface-number

    3. Configure any of the following IS-IS interface authentication modes as required:

      • Configure simple authentication.
        isis authentication-mode { simple { plain simple-plain |  [ cipher ] simple-cipher }  | md5 { [ cipher ] md5-cipher | plain  md5-plain } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
      • Configure HMAC-MD5 authentication.
        isis authentication-mode { simple { plain simple-plain |  [ cipher ] simple-cipher } | md5 { [ cipher ] md5-cipher | plain  md5-plain } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
      • Configure keychain authentication.
        isis authentication-mode keychain keychain-name [ level-1 | level-2 ] [ send-only ]
      • Configure HMAC-SHA256 authentication.
        isis authentication-mode hmac-sha256 key-id key-id { plain md5-plain | [ cipher ] md5-cipher } [ level-1 | level-2 ] [ send-only ]

      Note the following when selecting parameters:

      • If send-only is specified, the interface encapsulates authentication information into the IIHs to be sent, but does not authenticate received IIHs. Neighbor relationships can be established only if authentication is not performed or IIHs are authenticated.

      • If send-only is not specified, ensure that all interfaces on the same network maintain the same password for IIHs of the same level.

      • The level-1 and level-2 parameters can be set only on Ethernet interfaces.

      • If the IS-IS interface is a Level-1-2 interface, and neither level-1 nor level-2 is specified, the authentication mode and password are configured for both Level-1 and Level-2 IIHs.
        • Characters %#%# are used as the prefix and suffix of existing passwords with variable lengths. Therefore, characters %#%# cannot be configured together at the beginning or end of a simple text password.
        • For security purposes, you are advised to use keychain or HMAC-SHA256 authentication instead of simple or MD5 authentication.

Checking the Security Hardening Result

Run the display isis lsdb command to check IS-IS LSDB information.

Parent Topic: Routing Protocol Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >