Configuring Area or Domain Authentication

Context

Generally, the IS-IS packets to be sent are not encapsulated with authentication information, and the received packets are not authenticated. If a user sends malicious packets to attack a network, information on the entire network may be stolen. Therefore, you can configure IS-IS authentication to improve network security.

The area authentication password is encapsulated into Level-1 IS-IS packets. Only the packets that pass the area authentication can be accepted. Therefore, you must configure IS-IS area authentication on all the IS-IS devices in the specified Level-1 area to authenticate the Level-1 area.

The domain authentication password is encapsulated into Level-2 IS-IS packets. Only the packets that pass the domain authentication can be accepted. Therefore, you must configure IS-IS domain authentication on all the IS-IS devices in the Level-2 area to authenticate Level-2 area.

If plain is selected during the configuration of the area authentication mode or domain authentication mode, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

Simple authentication and MD5 authentication have potential security risks. HMAC-SHA256 authentication mode is recommended.

Characters %^%# are used as the prefix and suffix of existing passwords with variable lengths. Therefore, characters %^%# cannot be configured together at the beginning or end of a cipher text password.

When configuring IS-IS authentication, the area or domain authentication modes and passwords of the routers in the same area must be consistent so that IS-IS packets can be flooded normally.

Whether IS-IS packets can pass area or domain authentication does not affect the establishment of Level-1 or Level-2 neighbor relationships.

Procedure

Run system-view
The system view is displayed.
Run isis [ process-id ]
The IS-IS process view is displayed.
Perform the following operations in any sequence as required.
- Run area-authentication-mode { { simple | md5 } { plain plain-text | [ cipher ] plain-cipher-text } [ ip | osi ] | keychain keychain-name | hmac-sha256 key-id key-id } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
  
  The area authentication mode is configured.
  
  By default, the system neither encapsulates generated Level-1 packets with authentication information nor authenticates received Level-1 packets.
- Run domain-authentication-mode { { simple | md5 } { plain plain-text | [ cipher ] plain-cipher-text } [ ip | osi ] | keychain keychain-name | hmac-sha256 key-id key-id } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
  
  The domain authentication mode is configured.
  
  By default, the system neither encapsulates generated Level-2 packets with authentication information nor authenticates received Level-2 packets.
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the keychain keychain-name parameter.

The authentication involves the following situations:
- The device encapsulates the authentication mode into LSPs and SNPs to be sent and checks whether the received packets pass authentication. Then, the device discards the packets that do not pass the authentication. In this case, the parameter snp-packet or all-send-only is not specified.
- The device encapsulates authentication information into LSPs to be sent and checks whether the received LSPs pass the authentication; the device neither encapsulates the SNPs to be sent with authentication information nor checks whether the received SNPs pass the authentication. In this case, the parameter snp-packet authentication-avoid needs to be specified.
- The device encapsulates the LSPs and SNPs to be sent with authentication information; the device, however, checks the authentication mode of only the received LSPs rather than the received SNPs. In this case, the parameter snp-packet send-only needs to be specified.
- The device encapsulates the LSPs and SNPs to be sent with authentication information, but does not check whether the received LSPs or SNPs pass the authentication. In this case, the parameter all-send-only needs to be specified.