Enabling IS-IS Authentication

Problem

You want to ensure that all IS-IS protocol traffic that your router accepts comes from devices known to you so that only trusted routers participate in determining the contents of the IS-IS routing database.

Solution

Configure MD5 authentication for IS-IS:

	[edit protocols isis]
	aviva@RouterG# set level 2 authentication-type md5
	aviva@RouterG# set level 2 authentication-key $1991poPPi

 

Discussion

It is a good security measure to authenticate IS-IS protocol packet exchanges to ensure that only trusted routers participate in the IS-IS network and in the exchange of LSA packets.

This recipe shows how to configure IS-IS to use MD5 authentication for the Level 2 area. First you configure MD5 authentication for the entire area, then you set the key, or password, for each interface. MD5 creates an encoded checksum that is included in all transmitted IS-IS packets. The receiving router verifies this checksum before accepting the packet. By default, the JUNOS implementation of IS-IS authenticates all PDU types, including link-state PDUs (LSPs), IIH PDUs, and complete and partial sequence number PDUs ( CSNPs and PSNPs). This is why the software has only one command for establishing authentication.

To configure authentication for all Level 1 areas that the router participates in, use the following commands:

	[edit protocols isis]
	aviva@RouterG# set level 1 
authentication-type md5
	aviva@RouterG# set level 1 
authentication-key $SuMPasswRD

You cannot configure authentication for IS-IS Level 2 and Level 1 areas globally with a single command. You must configure the two authentications separately.

When you display the router's configuration after you have typed the password, you do not see the password itself but the encrypted form of the password. This safeguard means that someone casually glancing through the configuration does not see the actual password.

You can also configure a simple password for IS-IS authentication, which includes a plain-text password in the transmitted IS-IS packets. Plain-text passwords are easy to break by devices that sniff network traffic, so you should never use them when your goal is network security.

For authentication to work across the entire IS-IS domain, you need to configure MD5 authentication and the same password on all IS-IS interfaces in the same way as shown in this recipe. Once you have the encrypted version of the password, you can use it in the authentication-key statement instead of the password itself. This is one way to minimize the number of people who see the actual password.

	aviva@RouterG# set interface fe-1/0/1 authentication-key
	"$9$dEbgoZUjqP5GUApO1hcgoaJHq"

When you are looking at the configuration contents, pipe the output to hide the passwords:

	[edit protocols isis]
	aviva@RouterG# show | except SECRET-DATA
	level 2 {
	}
	interface fe-0/0/1.0;
	interface fe-1/0/0.0 {
	 level 2 disable;
	}
	interface lo0.0 {
	 passive;
	}

If the same authentication type and password are not configured across the area, IS-IS cannot establish adjacencies and you will see errors. Here, Level 2 authentication is configured on RouterH but not on RouterG:

	aviva@RouterH> show isis adjacency extensive
	RouterG
	 Interface: fe-0/0/1.0, Level: 2, State: Down, Expires in 0 secs
	 Priority: 64, Up/Down transitions: 2, Last transition: 00:00:37 ago
	 Circuit type: 3, Speaks: IP, IPv6, MAC address: 0:5:85:c2:2e:d1
	 Topologies: Unicast
	 Restart capable: Yes
	 LAN id: RouterH.02, IP addresses: 10.0.1.2
	 Transition log:
	 When State Event Down reason
	 Tue Jun 21 19:51:33 Up Seenself
	 Tue Jun 21 23:51:01 Down Error Bad Hello
	RouterA
	 Interface: fe-1/0/1.0, Level: 1, State: Up, Expires in 7 secs
	 Priority: 64, Up/Down transitions: 1, Last transition: 21:37:54 ago
	 Circuit type: 1, Speaks: IP, IPv6, MAC address: 0:5:85:ca:e7:d0
	 Topologies: Unicast
	 Restart capable: Yes
	 LAN id: RouterA.02, IP addresses: 10.0.24.2
	 Transition log:
	 When State Event Down reason
	 Tue Jun 21 02:13:44 Up Seenself

For tighter security, you can also define separate authentication passwords for the IS-IS Hello packet exchanges on interfaces. The following commands set the hello password on interface fe-0/0/1:

	[edit protocols isis interface fe-0/0/1.0 ]
	aviva@RouterG# set level 2 hello-authentication-type 
md5 
	aviva@RouterG# set level 2 hello-authentication-key $NutherPaSSwd 


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net