[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
HMAC MD5 Authentication
When you enable IS-IS HMAC MD5 authentication (also
referred to as MD5 authentication), the router creates secure digests
of the packets, encrypted according to the HMAC MD5 message-digest
algorithms. The digests are inserted into the packets from which they
are created. Depending on the commands you issue, the digests can
be inserted into hello packets, link-state PDUs, complete sequence
number PDUs, and partial sequence number PDUs.
You can configure an HMAC MD5 authentication key
by using the following commands:
- The area-message-digest-key command specifies an HMAC MD5 key that the router uses to create
a message digest of each level 1 packet—LSPs, CSNPs, and PSNPs—transmitted
by area routers. Using MD5 authentication for area routers protects
against unauthorized routers injecting false routing information into
the area portions of your network. This command also enables MD5 authentication
of level 1 LSPs.
- The domain-message-digest-key command specifies an HMAC MD5 key that the router uses to create
a message digest of each level 2 packet—LSPs, CSNPs, and PSNPs—transmitted
by domain routers. Using MD5 authentication for domain routers protects
against unauthorized routers injecting false routing information into
the routing domain portions of your network. This command also enables
MD5 authentication of level 2 LSPs.
- The isis message-digest-key command specifies an HMAC MD5 key that the router uses to create
a message digest of level 1 or level 2 hello packets on the interface.
Level 1 packets are the default. Using MD5 authentication on interfaces
protects against intrusion by preventing unauthorized routers from
forming adjacencies with your router. This command also enables MD5
authentication of level 1 or level 2 hello packets.
These commands enable MD5 authentication of LSPs
and (for the isis message-digest-key command) hello packets only; they do not enable authentication of
CSNP and PSNP packets. To enable authentication of CSNPs or PSNPs,
you must issue either the area-authentication command or the domain-authentication command.
For information, see Enabling
and Disabling Authentication of CSNPs and PSNPs.
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
