Configuring IS-IS Authentication

All IS-IS protocol exchanges can be authenticated to guarantee that only trusted routers participate in the autonomous system (AS) routing. By default, IS-IS authentication is disabled on the router.

To configure IS-IS authentication, you must define an authentication password and specify the authentication type.

You can configure one of the following authentication methods:

• Simple authentication—Uses a text password that is included in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet. Simple authentication is included for compatibility with existing IS-IS implementations. However, we recommend that you do not use this authentication method because it is insecure (the text can be "sniffed" ).

  Caution: A simple password that exceeds 254 characters is truncated.

• HMAC-MD5 authentication—Uses an iterated cryptographic hash function. The receiving router uses an authentication key (password) to verify the packet.

You can also configure more fine-grained authentication for hello packets. To do this, see Configuring Authentication for Hello Packets.

To enable authentication and specify an authentication method, include the authentication-type statement, specifying the simple or md5 authentication type:

For a list of hierarchy levels at which you can configure this statement, see the statement summary section for this statement.

To configure a password, include the authentication-key statement. The authentication password for all routers in a domain must be the same.

For a list of hierarchy levels at which you can configure this statement, see the statement summary section for this statement.

The password can contain up to 255 characters. If you include spaces, enclose all characters in quotation marks (" ").

If you are using the JUNOS IS-IS software with another implementation of IS-IS, the other implementation must be configured to use the same password for the domain, the area, and all interfaces that are shared with a JUNOS implementation.

Authentication of hello packets, partial sequence number PDU (PSNP), and complete sequence number PDU (CSNP) may be suppressed to enable interoperability with the routing software of different vendors. Different vendors handle authentication in various ways, and suppressing authentication for different PDU types may be the simplest way to allow compatibility within the same network.

To configure IS-IS to generate authenticated packets, but not to check the authentication on received packets, include the no-authentication-check statement:

To suppress authentication of IS-IS hello packets, include the no-hello-authentication statement:

To suppress authentication of PSNP packets, include the no-psnp-authentication statement:

To suppress authentication of CSNP packets, include the no-csnp-authentication statement:

For a list of hierarchy levels at which you can configure these statements, see the statement summary sections for these statements.

Note: The authentication and the no-authentication statements must be configured at the same hierarchy level. Configuring authentication at the interface hierarchy level and configuring no-authentication at the isis hierarchy level has no effect.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.