As the Internet develops, more data, voice, and video information are exchanged over the Internet. New services, such as e-commerce, online conferencing and auctions, video on demand, and distance learning, emerge gradually. The new services have high requirements for network security. Carriers need to prevent data packets from being illegally obtained or modified by attackers or unauthorized users. IS-IS authentication applies to the area or interface where packets need to be protected. Using IS-IS authentication enhances system security and helps carriers provide safe network services.
Authentication Classification
Based on packet types, the authentication is classified as follows:
Interface authentication: is configured in the interface view to authenticate Level-1 and Level-2 IS-to-IS Hello PDUs (IIHs).
Area authentication: is configured in the IS-IS process view to authenticate Level-1 CSNPs, PSNPs, and LSPs.
Routing domain authentication: is configured in the IS-IS process view to authenticate Level-2 CSNPS, PSNPs, and LSPs.
Based on the authentication modes of packets, the authentication is classified into the following types:
Simple authentication: The authenticated party directly adds the configured password to packets for authentication. This authentication mode provides the lowest password security.
MD5 authentication: uses the MD5 algorithm to encrypt a password before adding the password to the packet, which improves password security. For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 algorithm is recommended.
Keychain authentication: further improves network security with a configurable key chain that changes with time.
HMAC-SHA256 authentication: uses the HMAC-SHA256 algorithm to encrypt a password before adding the password to the packet, which improves password security.
IS-IS authentication encrypts IS-IS packets by adding the authentication field to packets to ensure network security. After receiving IS-IS packets from a remote router, a local router discards the packets if the authentication passwords in the packets are different from the locally configured one. This mechanism protects the local router.
IS-IS provides a type-length-value (TLV) to carry authentication information. The TLV components are as follows:
Type: indicates the type of a packet, which is 1 byte. The value defined by ISO is 10, whereas the value defined by IP is 133.
Length: indicates the length of the authentication TLV, which is 1 byte.
Value: indicates the authentication information, including authentication type and authenticated password, which ranges from 1 to 254 bytes. The authentication type is 1 byte:
Interface Authentication
Authentication passwords for IIHs are saved on interfaces. The interfaces send authentication packets with the authentication TLV. Interconnected router interfaces must be configured with the same password.
Area Authentication
Every router in an IS-IS area must use the same authentication mode and have the same key chain.
Routing Domain Authentication
Every Level-2 or Level-1-2 router in an IS-IS area must use the same authentication mode and have the same key chain.
For area authentication and routing domain authentication, you can set a router to authenticate SNPs and LSPs separately in the following ways:
A router sends LSPs and SNPs that carry the authentication TLV and verifies the authentication information of the LSPs and SNPs it receives.
A router sends LSPs that carry the authentication TLV and verifies the authentication information of the LSPs it receives. The router sends SNPs that carry the authentication TLV and does not verify the authentication information of the SNPs it receives.
A router sends LSPs that carry the authentication TLV and verifies the authentication information of the LSPs it receives. The router sends SNPs without the authentication TLV and does not verify the authentication information of the SNPs it receives.
A router sends LSPs and SNPs that carry the authentication TLV but does not verify the authentication information of the LSPs and SNPs it receives.