[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Configuring IS-IS
Although all JUNOS IGPs support authentication,
some are inherently more secure than others. Most service providers
use OSPF or IS-IS to allow fast internal convergence and scalability
and to use traffic engineering capabilities with Multiprotocol Label
Switching (MPLS). Because IS-IS does not operate at the network layer,
it is more difficult to spoof than OSPF, which is encapsulated in
IP and is therefore subject to remote spoofing and DoS attacks. This
example also configures a number of tracing options for routing protocol
events and errors, which can be good indicators of attacks against
routing protocols. These events include protocol authentication failures,
which might point to an attacker that is sending spoofed or otherwise
malformed routing packets to the router in an attempt to elicit a particular behavior.
- [edit]
- protocols {
-
- isis {
- authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; # SECRET-DATA
- authentication-type md5;
-
- traceoptions {
- file isis-trace size 10m files 10;
- flag normal;
- flag error;
- }
-
- interface at-0/0/0.131 {
- lsp-interval 50;
- level 2 disable;
-
- level 1 {
- metric 3;
- hello-interval 5;
- hold-time 60;
- }
- }
-
- interface lo0.0 {
- passive;
- }
- }
- }
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
