area-authentication-mode
Function
The area-authentication-mode command configures an IS-IS area to authenticate received Level-1 packets (LSPs and SNPs) using the specified authentication mode and password or adds authentication information to Level-1 packets to be sent.
The undo area-authentication-mode command restores the default configuration.
By default, the system neither encapsulates generated Level-1 packets with authentication information nor authenticates received Level-1 packets.
Format
area-authentication-mode { { simple { plain plain-text | [ cipher ] plain-cipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } } [ ip | osi ] | { keychain keychain-name } } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
area-authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
undo area-authentication-mode
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the keychain keychain-name parameter.
Parameters
| Parameter | Description | Value |
|---|---|---|
| simple | Transmits the password in plain text. NOTICE:
Simple authentication has potential risks. HMAC-SHA256 ciphertext authentication is recommended. |
- |
| plain plain-text | Specifies the authentication password in plain text. You can enter only the password in plain text. When you view the configuration file, the password is displayed in plain text. NOTICE:
If plain is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text. |
The value is a string of case-sensitive characters without spaces. The value contains digits and letters. When the authentication mode is simple, the value is a string of 1 to 16 characters. When the authentication mode is md5 or hmac-sha256, the value is a string of 1 to 255 characters. |
| cipher plain-cipher-text | Specifies the authentication password in cipher text. You can enter the password in plain or cipher text. When you view the configuration file, the password is displayed in cipher text. By default, the password is in cipher text. | The value is a string of case-sensitive characters without spaces. The value contains digits and letters. When the authentication mode is simple, the value is a string of 1 to 16 characters in plain text or a string of 32 or 48 characters in cipher text. When the authentication mode is md5 or hmac-sha256, the value is a string of 1 to 255 characters in plain text or a string of 20 to 392 characters in cipher text. |
| md5 | Transmits the password that is encrypted using MD5. NOTICE:
MD5 authentication has potential risks. HMAC-SHA256 cipher text authentication is recommended. |
- |
| ip | Indicates the IP authentication password. This parameter cannot be configured when keychain authentication is used. | - |
| osi | Indicates the OSI authentication password. This parameter cannot be configured when keychain authentication is used. When neither osi nor ip is specified, the default parameter osi is used. | - |
| keychain keychain-name | Indicates the keychain that changes with time and is encrypted using MD5. This parameter takes effect only when keychain-name is set using the keychain command. | The value is a string of 1 to 47 case-insensitive characters. Except the question mark (?) and space. However, when double quotation marks (") are used around the string, spaces are allowed in the string. |
| snp-packet | Authenticates SNPs. | - |
| authentication-avoid | Encapsulates generated LSPs but not SNPs with authentication information and authenticates received LSPs but not SNPs. | - |
| send-only | Encapsulates generated LSPs and SNPs with authentication information, and authenticates received LSPs but not SNPs. | - |
| all-send-only | Encapsulates generated LSPs and SNPs with authentication information, but does not authenticate received LSPs and SNPs. | - |
| hmac-sha256 | Encapsulates generated packets with the HMAC-SHA256 authentication and a password encrypted by the HMAC-SHA256 algorithm and authenticates received packets. | - |
| key-id key-id | Indicates key ID of the HMAC-SHA256 algorithm. | The value is an integer ranging from 0 to 65535. |
Usage Guidelines
Usage Scenario
Generally, the IS-IS packets to be sent are not encapsulated with authentication information, and the received packets are not authenticated. If a user sends malicious packets to attack a network, information on the entire network may be stolen. Therefore, you can configure IS-IS authentication to improve the network security.
The area authentication password is encapsulated into Level-1 IS-IS packets. Only the packets that pass the area authentication can be accepted. Therefore, you can configure IS-IS area authentication to authenticate the Level-1 area.
Precautions
The area-authentication-mode command is valid only on Level-1 or Level-1-2 routers.
By using this command enables IS-IS to discard all the Level-1 LSPs and SNPs whose area authentication passwords are not consistent with the one set by this command. At the same time, IS-IS inserts the configured area authentication password into all the Level-1 routing packets (LSPs and SNPs) sent from the local node. The establishment of the Level-1 neighbor relationship is not affected, regardless of whether the packets pass the area authentication.
The authentication takes effect only on the peer configured with authentication. The peer with no authentication configured can still receive the LSP and SNP packet with the password.