Security

IS-IS enforces basic security through packet authentication by using special TLVs. ISO 10589 specifies TLV Type 10, which can be present in all IS-IS packet types. RFC 1195 also specifies TLV Type 133 for authentication, which removes password length restrictions imposed by ISO 10589. Both specifications define only simple passwords transmitted as clear text without encryption.

Simple, clear-text password authentication obviously does not provide enough protection against malicious attacks on the network, even though it can help isolate operator configuration errors related to adjacency setups. TLV Types 10 and 133 both provide accommodation for future TLV field types, which might permit more complex and secured authentication using schemes such as HMAC-MD5. An IETF draft proposal specifies this approach for improved and sophisticated authentication of IS-IS packets.

Only the simple passwords specified in ISO 10589 are supported in available (at the time of writing) Cisco IOS releases.

A unique security advantage of IS-IS compared to other IP routing protocols is that IS-IS packets are directly encapsulated over the data link and are not carried in IP packets or even CLNP packets. Therefore, to maliciously disrupt the IS-IS routing environment, an attacker has to be physically attached to a router in the IS-IS network, a challenging and inconvenient task for most network hackers. Other IP routing protocols, such as RIP, OSPF, and BGP, are susceptible to attacks from remote IP networks through the Internet because routing protocol packets are ultimately embedded in IP packets, which makes them susceptible to remote access by intrusive applications.