ISIS/ISISv6

Security Policy

IS-IS authentication encrypts IS-IS packets by adding the authentication field to packets to improve network security. When receiving IS-IS packets from a remote router, the local router discards the packets if they contain authentication passwords different from the authentication password configured using the area-authentication-mode command. This protects the local router.

Attack Methods

Denial of error packets: Attackers can get correct Hello packets or link state packets from a network, forge attack packets with identifiable IS-IS packets, and send these packets to routers. Although routers can identify and discard these attack packets based on authentication information, routers may also discard correct packets because they cannot immediately process these packets. This affects network stability.

Procedure

  • Configure IS-IS area authentication.
    1. Run system-view

      The system view is displayed.

    2. Run isis [ process-id ]

      The IS-IS view is displayed.

    3. Run area-authentication-mode { simple { plain plain | cipher ] cipher } | md5 { [ cipher ] cipher | plain plain } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      Or area-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      Or area-authentication-mode hmac-sha256 key-id key-id { plain plain | [ cipher ] cipher } [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      The area authentication mode is configured.

      After the area-authentication-mode command is run, IS-IS does not process received unauthenticated Level-1 LSPs that have been stored in the local LSDB and newly received unauthenticated Level-1 LSPs and SNPs that have not been stored in the local LSDB. Those packets are discarded automatically after being aged out. To prevent those packets from being discarded due to this command configuration, specify the send-only parameter in the command.

      To ensure high security, do not use the MD5 algorithm. It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.

      IS-IS authentication involves the following situations:

      • The device encapsulates the authentication mode into LSPs and SNPs to be sent and authenticate received LSPs and SNPs. The LSPs and SNPs that cannot be authenticated are discarded. In this case, the parameter snp-packet or all-send-only is not specified.

      • The device encapsulates authentication information into LSPs to be sent and authenticate received LSPs but neither encapsulates the SNPs to be sent with authentication information nor authenticate received SNPs. In this case, the parameter snp-packet authentication-avoid needs to be specified.

      • The device encapsulates the LSPs and SNPs to be sent with authentication information but authenticate only the received LSPs. In this case, the parameter snp-packet send-only needs to be specified.

      • The device encapsulates the LSPs and SNPs to be sent with authentication information but does not authenticate received LSPs or SNPs. In this case, the parameter all-send-only needs to be specified.

    4. Run commit

      The configuration is committed.

  • Configure IS-IS routing domain authentication.
    1. Run system-view

      The system view is displayed.

    2. Run isis [ process-id ]

      The IS-IS view is displayed.

    3. Run domain-authentication-mode { simple { plain plain | cipher cipher } | md5 { [ cipher ] cipher | plain plain } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      Or domain-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      Or domain-authentication-mode hmac-sha256 key-id key-id { plain plain | [ cipher ] cipher } [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      The routing domain authentication mode is configured.

      After the area-authentication-mode command is run, IS-IS does not process received unauthenticated Level-2 LSPs that have been stored in the local LSDB and newly received unauthenticated Level-2 LSPs and SNPs that have not been stored in the local LSDB. Those packets are discarded automatically after being aged out. To prevent those packets from being discarded due to this command configuration, specify the send-only parameter in the command.

      To ensure high security, do not use the MD5 algorithm. It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.

      IS-IS authentication involves the following situations:

      • The device encapsulates the authentication mode into LSPs and SNPs to be sent and authenticate received LSPs and SNPs. The LSPs and SNPs that cannot be authenticated are discarded. In this case, the parameter snp-packet or all-send-only is not specified.

      • The device encapsulates authentication information into LSPs to be sent and authenticate received LSPs but neither encapsulates the SNPs to be sent with authentication information nor authenticate received SNPs. In this case, the parameter snp-packet authentication-avoid needs to be specified.

      • The device encapsulates the LSPs and SNPs to be sent with authentication information but authenticate only the received LSPs. In this case, the parameter snp-packet send-only needs to be specified.

      • The device encapsulates the LSPs and SNPs to be sent with authentication information but does not authenticate received LSPs or SNPs. In this case, the parameter all-send-only needs to be specified.

    4. Run commit

      The configuration is committed.

  • Configure IS-IS interface authentication.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run isis authentication-mode { simple { plain plain | cipher cipher } | md5 { [ cipher ] cipher | plain plain } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]

      Or isis authentication-mode keychain keychain-name [ Level-1 areas | level-2 ] [ send-only ]

      Or isis authentication-mode hmac-sha256 key-id key-id { plain plain | [ cipher ] cipher } [ level-1 | level-2 ] [ send-only ]

      The IS-IS authentication mode and password are configured on the interface.

      To ensure high security, do not use the MD5 algorithm. It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.

      When you select parameters, note the following rules:

      • If send-only is specified, the router encapsulates authentication information to Hello packets to be sent but does not authenticate received Hello packets. The neighbor relationships can be set up when the authentication is not required or packets are authenticated.

      • If send-only is not configured, ensure that passwords of all interfaces with the same level in the same network are consistent.

      • Level-1 areas and level-2 can be set only on Ethernet interfaces.

      • When IS-IS interfaces are Level-1-2 interfaces and Level-1 areas or level-2 is not specified in the command, authentication modes and passwords are configured for both Level-1 areas and Level-2 Hello packets.

    4. Run commit

      The configuration is committed.

Parent Topic: Control Plane
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >