Enabling IS-IS Authentication
Problem
You want to ensure that all IS-IS protocol traffic that your router accepts comes from devices known to you so that only trusted routers participate in determining the contents of the IS-IS routing database.
Solution
Configure MD5 authentication for IS-IS:
[edit protocols isis] aviva@RouterG# set level 2 authentication-type md5 aviva@RouterG# set level 2 authentication-key $1991poPPi
Discussion
It is a good security measure to authenticate IS-IS protocol packet exchanges to ensure that only trusted routers participate in the IS-IS network and in the exchange of LSA packets.
This recipe shows how to configure IS-IS to use MD5 authentication for the Level 2 area. First you configure MD5 authentication for the entire area, then you set the key, or password, for each interface. MD5 creates an encoded checksum that is included in all transmitted IS-IS packets. The receiving router verifies this checksum before accepting the packet. By default, the JUNOS implementation of IS-IS authenticates all PDU types, including link-state PDUs (LSPs), IIH PDUs, and complete and partial sequence number PDUs ( CSNPs and PSNPs). This is why the software has only one command for establishing authentication.
To configure authentication for all Level 1 areas that the router participates in, use the following commands:
[edit protocols isis] aviva@RouterG# set level 1 authentication-type md5 aviva@RouterG# set level 1 authentication-key $SuMPasswRD
You cannot configure authentication for IS-IS Level 2 and Level 1 areas globally with a single command. You must configure the two authentications separately.
When you display the router's configuration after you have typed the password, you do not see the password itself but the encrypted form of the password. This safeguard means that someone casually glancing through the configuration does not see the actual password.
You can also configure a simple password for IS-IS authentication, which includes a plain-text password in the transmitted IS-IS packets. Plain-text passwords are easy to break by devices that sniff network traffic, so you should never use them when your goal is network security.
For authentication to work across the entire IS-IS domain, you need to configure MD5 authentication and the same password on all IS-IS interfaces in the same way as shown in this recipe. Once you have the encrypted version of the password, you can use it in the authentication-key statement instead of the password itself. This is one way to minimize the number of people who see the actual password.
aviva@RouterG# set interface fe-1/0/1 authentication-key "$9$dEbgoZUjqP5GUApO1hcgoaJHq"
When you are looking at the configuration contents, pipe the output to hide the passwords:
[edit protocols isis] aviva@RouterG# show | except SECRET-DATA level 2 { } interface fe-0/0/1.0; interface fe-1/0/0.0 { level 2 disable; } interface lo0.0 { passive; }
If the same authentication type and password are not configured across the area, IS-IS cannot establish adjacencies and you will see errors. Here, Level 2 authentication is configured on RouterH but not on RouterG:
aviva@RouterH> show isis adjacency extensive RouterG Interface: fe-0/0/1.0, Level: 2, State: Down, Expires in 0 secs Priority: 64, Up/Down transitions: 2, Last transition: 00:00:37 ago Circuit type: 3, Speaks: IP, IPv6, MAC address: 0:5:85:c2:2e:d1 Topologies: Unicast Restart capable: Yes LAN id: RouterH.02, IP addresses: 10.0.1.2 Transition log: When State Event Down reason Tue Jun 21 19:51:33 Up Seenself Tue Jun 21 23:51:01 Down Error Bad Hello RouterA Interface: fe-1/0/1.0, Level: 1, State: Up, Expires in 7 secs Priority: 64, Up/Down transitions: 1, Last transition: 21:37:54 ago Circuit type: 1, Speaks: IP, IPv6, MAC address: 0:5:85:ca:e7:d0 Topologies: Unicast Restart capable: Yes LAN id: RouterA.02, IP addresses: 10.0.24.2 Transition log: When State Event Down reason Tue Jun 21 02:13:44 Up Seenself
For tighter security, you can also define separate authentication passwords for the IS-IS Hello packet exchanges on interfaces. The following commands set the hello password on interface fe-0/0/1:
[edit protocols isis interface fe-0/0/1.0 ] aviva@RouterG# set level 2 hello-authentication-type md5 aviva@RouterG# set level 2 hello-authentication-key $NutherPaSSwd