3 mins read
ISIS Authentication
1. Intro
All IS-IS protocol exchanges can be authenticated to guarantee that only trusted routing devices participate in the autonomous system (AS) routing. By default, IS-IS authentication is disabled on the routing device.
We have 2 ISIS Authentication options:
- ISIS interface authentication – authenticates only the hello messages transmitted on that interface
- ISIS level authentication – ddding authentication under the Level, authenticates PDUs (Hellos, LSPs, CSNPs and PSNPs) generated by the router.
2. ISIS Interface Authentication
### The configuration:
root@R7# set protocols isis interface ge-0/0/2 level 1 hello-authentication-type simple
root@R7# set protocols isis interface ge-0/0/2 level 1 hello-authentication-key P4ssw0rd
### Check the configured authentication:
root@R7# run show isis authentication
Interface Level IIH Auth CSN Auth PSN Auth
ge-0/0/2.0 1 Simple None None
ge-0/0/3.0 1 None None None
L1 LSP Authentication: None
### TLV in Wireshark:
ISIS HELLO
.... ..01 = Circuit type: Level 1 only (0x1)
0000 00.. = Reserved: 0x00
SystemID {Sender of PDU}: 0100.4922.9058
Holding timer: 3
PDU length: 109
.100 0000 = Priority: 64
0... .... = Reserved: 0
SystemID {Designated IS}: 0100.4922.9058.00
Protocols Supported (t=129, l=2)
IP Interface address(es) (t=132, l=4)
IPv6 Global Interface Address (t=233, l=16)
IPv6 Interface address(es) (t=232, l=16)
Area address(es) (t=1, l=18)
Restart Signaling (t=211, l=3)
Authentication (t=10, l=9)
Type: 10
Length: 9
clear text (1), password (length 8) = p4ssword
### Or, MD5 Authentication:
Authentication (t=10, l=17)
Type: 10
Length: 17
hmac-md5 (54), message digest (length 16) = cdff92e4b876aef390af4d07d9396f22
3. ISIS Level Authentication
### The configuration:
root@R7# set protocols isis level 1 authentication-type simple
root@R7# set protocols isis level 1 authentication-key p4assword
root@R7# run show isis authentication
Interface Level IIH Auth CSN Auth PSN Auth
ge-0/0/2.0 1 Simple Simple Simple
ge-0/0/3.0 1 Simple Simple Simple
L1 LSP Authentication: Simple
### Wireshark:
ISIS HELLO
.... ..01 = Circuit type: Level 1 only (0x1)
0000 00.. = Reserved: 0x00
SystemID {Sender of PDU}: 0100.4922.9058
Holding timer: 1
PDU length: 118
.100 0000 = Priority: 64
0... .... = Reserved: 0
SystemID {Designated IS}: 0100.4922.9058.03
IS Neighbor(s) (t=6, l=6)
Protocols Supported (t=129, l=2)
IP Interface address(es) (t=132, l=4)
IPv6 Global Interface Address (t=233, l=16)
IPv6 Interface address(es) (t=232, l=16)
Area address(es) (t=1, l=18)
Restart Signaling (t=211, l=3)
Authentication (t=10, l=10)
Type: 10
Length: 10
clear text (1), password (length 9) = p4assword
ISO 10589 ISIS Complete Sequence Numbers Protocol Data Unit
PDU length: 127
Source-ID: 0100.4922.9058
Source-ID-Circuit: 00
Start LSP-ID: 0000.0000.0000.00-00
End LSP-ID: ffff.ffff.ffff.ff-ff
LSP entries (t=9, l=80)
Authentication (t=10, l=10)
Type: 10
Length: 10
clear text (1), password (length 9) = p4assword
ISO 10589 ISIS Link State Protocol Data Unit
PDU length: 471
Remaining lifetime: 1198
LSP-ID: 0100.4922.8243.00-00
Sequence number: 0x00000085
Checksum: 0x2255 [correct]
[Checksum Status: Good]
Type block(0x01): Partition Repair:0, Attached bits:0, Overload bit:0, IS type:1
Area address(es) (t=1, l=18)
Originating neighbor buffer size (t=14, l=2)
Protocols supported (t=129, l=2)
Traffic Engineering Router ID (t=134, l=4)
IP Interface address(es) (t=132, l=4)
IPv6 TE Router ID (t=140, l=16)
Hostname (t=137, l=2)
IS Reachability (t=2, l=12)
Extended IS reachability (t=22, l=45)
IP Internal reachability (t=128, l=72)
Extended IP Reachability (t=135, l=50)
IP Interface address(es) (t=132, l=4)
IPv6 reachability (t=236, l=86)
IP External reachability (t=130, l=36)
Extended IP Reachability (t=135, l=24)
Router Capability (t=242, l=23)
Authentication (t=10, l=10)
Type: 10
Length: 10
clear text (1), password (length 9) = p4assword
External Resources: