< Home

IS-IS Authentication

To ensure network security, IS-IS authentication encrypts IS-IS packets by adding an authentication field to packets. When a local router receives IS-IS packets from a remote router, the local router discards the packets if the authentication passwords do not match. This protects the local router.

Authentication Types

Based on the types of packets, authentication is classified as follows:

  • Interface authentication: authenticates Level-1 and Level-2 Hello packets sent and received on IS-IS interfaces using the specified authentication mode and password.

    You can configure a router to perform interface authentication in the following ways:

    • A router sends authentication packets carrying the authentication TLV and verifies the authentication information about the received packets.

    • A router sends authentication packets carrying the authentication TLV but does not verify the authentication information about the received packets.

  • Area authentication: authenticates Level-1 LSPs and Level-1 SNPs transmitted in an IS-IS area using the specified authentication mode and password.

  • Routing domain authentication: authenticates Level-2 LSPs and Level-2 SNPs transmitted in an IS-IS routing domain using the specified authentication mode and password.

    In area authentication and routing domain authentication, you can configure a router to authenticate LSPs and SNPs separately in the following ways:

    • A router sends LSPs and SNPs carrying the authentication TLV and verifies the authentication information about the received LSPs and SNPs.

    • A router sends LSPs carrying the authentication TLV and verifies the authentication information about the received LSPs. The router sends SNPs carrying the authentication TLV but does not verify the authentication information about the received SNPs.

    • A router sends LSPs carrying the authentication TLV and verifies the authentication information about the received LSPs. The router sends SNPs without the authentication TLV and does not verify the authentication information about the received SNPs.

    • A router sends LSPs and SNPs carrying the authentication TLV but does not verify the authentication information about the received LSPs and SNPs.

Based on the authentication modes of packets, authentication is classified into the following types:

  • Plain text authentication: is a simple authentication mode in which passwords are directly added to packets. This authentication is insecure.

  • MD5 authentication: uses the MD5 algorithm to encrypt passwords before they are added to packets, which improves password security.

  • Keychain authentication: further improves network security with configurable key chain that changes with time.

Mode in Which Authentication Information Is Carried

IS-IS provides a TLV to carry authentication information, with the type of the TLV specified as 10.

  • Type: is defined by the ISO as 10, with a length of 1 byte.

  • Length: indicates the length of the authentication TLV, which is 1 byte.

  • Value: indicates the authentication contents of 1 to 254 bytes, including the authentication type and password.

    The authentication type is 1 byte:

    • Type 0 is reserved.

    • Type 1 indicates plain text authentication.

    • Type 54 indicates MD5 authentication.

    • Type 255 indicates routing domain private authentication methods.

Parent Topic: Understanding IS-IS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >