Configuring IS-IS Authentication

After IS-IS authentication is configured, authentication information can be encapsulated into LSPs and SNPs for authentication. By default, authentication is not configured for IS-IS. Configuring authentication is recommended to ensure system security.

Context

Generally, IS-IS packets do not carry authentication information, and received packets are not authenticated. If a user sends malicious packets to attack a network, information on the entire network may be stolen. To address this issue, you can configure IS-IS authentication to improve the network security. Three IS-IS authentication modes and the usage scenarios are as follows:

Area authentication: Authentication passwords are encapsulated into IS-IS packets in Level-1 areas. The receiver only accepts the packets that have been authenticated. Therefore, you need to configure IS-IS area authentication to authenticate packets in Level-1 areas.
Routing domain authentication: Authentication passwords are encapsulated into IS-IS packets in Level-2 areas. The receiver only accepts the packets that have been authenticated. Therefore, you need to configure IS-IS routing domain authentication to authenticate packets in Level-2 areas.
Interface authentication: The authentication information is encapsulated into IS-IS Hello packets. A neighbor relationship can be established only after IS-IS Hello packets are authenticated. Therefore, you need to configure interface authentication to authenticate neighbors.

When configuring IS-IS authentication, the authentication mode and passwords of the routers in the same area must be consistent so that IS-IS packets can be flooded normally.

An IS-IS neighbor relationship cannot be established if interface authentication fails. An IS-IS neighbor relationship can be established regardless of whether IS-IS area or routing domain authentication succeeds.

When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.

Procedure

Configure IS-IS area authentication.
1. Run system-view
  The system view is displayed.
2. Run isis [ process-id ]
  The IS-IS view is displayed.
3. Run area-authentication-mode { simple { plain plain | cipher ] cipher } | md5 { [ cipher ] cipher | plain plain } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
  Or area-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]
  
  Or area-authentication-mode hmac-sha256 key-id key-id { plain plain | [ cipher ] cipher } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
  
  The area authentication mode is configured.
  
  After the area-authentication-mode command is run, IS-IS does not process received unauthenticated Level-1 LSPs that have been stored in the local LSDB and newly received unauthenticated Level-1 LSPs and SNPs that have not been stored in the local LSDB. Those packets are discarded automatically after being aged out. To prevent those packets from being discarded due to this command configuration, specify the send-only parameter in the command.
  
  To ensure high security, do not use the MD5 algorithm. It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.
  IS-IS authentication involves the following situations:
  - The device encapsulates the authentication mode into LSPs and SNPs to be sent and authenticate received LSPs and SNPs. The LSPs and SNPs that cannot be authenticated are discarded. In this case, the parameter snp-packet or all-send-only is not specified.
  - The device encapsulates authentication information into LSPs to be sent and authenticate received LSPs but neither encapsulates the SNPs to be sent with authentication information nor authenticate received SNPs. In this case, the parameter snp-packet authentication-avoid needs to be specified.
  - The device encapsulates the LSPs and SNPs to be sent with authentication information but authenticate only the received LSPs. In this case, the parameter snp-packet send-only needs to be specified.
  - The device encapsulates the LSPs and SNPs to be sent with authentication information but does not authenticate received LSPs or SNPs. In this case, the parameter all-send-only needs to be specified.
4. Run commit
  The configuration is committed.
Configure IS-IS routing domain authentication.
1. Run system-view
  The system view is displayed.
2. Run isis [ process-id ]
  The IS-IS view is displayed.
3. Run domain-authentication-mode { simple { plain plain | cipher cipher } | md5 { [ cipher ] cipher | plain plain } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
  Or domain-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]
  
  Or domain-authentication-mode hmac-sha256 key-id key-id { plain plain | [ cipher ] cipher } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
  
  The routing domain authentication mode is configured.
  
  After the area-authentication-mode command is run, IS-IS does not process received unauthenticated Level-2 LSPs that have been stored in the local LSDB and newly received unauthenticated Level-2 LSPs and SNPs that have not been stored in the local LSDB. Those packets are discarded automatically after being aged out. To prevent those packets from being discarded due to this command configuration, specify the send-only parameter in the command.
  
  To ensure high security, do not use the MD5 algorithm. It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.
  IS-IS authentication involves the following situations:
  - The device encapsulates the authentication mode into LSPs and SNPs to be sent and authenticate received LSPs and SNPs. The LSPs and SNPs that cannot be authenticated are discarded. In this case, the parameter snp-packet or all-send-only is not specified.
  - The device encapsulates authentication information into LSPs to be sent and authenticate received LSPs but neither encapsulates the SNPs to be sent with authentication information nor authenticate received SNPs. In this case, the parameter snp-packet authentication-avoid needs to be specified.
  - The device encapsulates the LSPs and SNPs to be sent with authentication information but authenticate only the received LSPs. In this case, the parameter snp-packet send-only needs to be specified.
  - The device encapsulates the LSPs and SNPs to be sent with authentication information but does not authenticate received LSPs or SNPs. In this case, the parameter all-send-only needs to be specified.
4. Run commit
  The configuration is committed.
Configure IS-IS interface authentication.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run isis authentication-mode { simple { plain plain | cipher cipher } | md5 { [ cipher ] cipher | plain plain } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
  Or isis authentication-mode keychain keychain-name [ Level-1 areas | level-2 ] [ send-only ]
  
  Or isis authentication-mode hmac-sha256 key-id key-id { plain plain | [ cipher ] cipher } [ level-1 | level-2 ] [ send-only ]
  
  The IS-IS authentication mode and password are configured on the interface.
  
  To ensure high security, do not use the MD5 algorithm. It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.
  When you select parameters, note the following rules:
  - If send-only is specified, the router encapsulates authentication information to Hello packets to be sent but does not authenticate received Hello packets. The neighbor relationships can be set up when the authentication is not required or packets are authenticated.
  - If send-only is not configured, ensure that passwords of all interfaces with the same level in the same network are consistent.
  - Level-1 areas and level-2 can be set only on Ethernet interfaces.
  - When IS-IS interfaces are Level-1-2 interfaces and Level-1 areas or level-2 is not specified in the command, authentication modes and passwords are configured for both Level-1 areas and Level-2 Hello packets.
4. Run commit
  The configuration is committed.