Cisco Cisco IOS Software Release 12.2(14)S
IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
How to Configure IS-IS HMAC-MD5 Authentication or Enhanced Clear Text Authentication
3
Cisco IOS Release 12.2(14)S
IS-IS HMAC-MD5 Authentication
The IS-IS HMAC-MD5 authentication feature adds an HMAC-MD5 digest to each IS-IS PDU. HMAC
is a mechanism for message authentication codes (MACs) using cyptographic hash functions. The digest
allows authentication at the IS-IS routing protocol level, which prevents unauthorized routing messages
from being injected into the network routing domain.
is a mechanism for message authentication codes (MACs) using cyptographic hash functions. The digest
allows authentication at the IS-IS routing protocol level, which prevents unauthorized routing messages
from being injected into the network routing domain.
IS-IS has five packet types: link state packet (LSP), LAN Hello, Serial Hello, CSNP, and PSNP. The
IS-IS HMAC-MD5 authentication or the clear text password authentication can be applied to all five
types of PDU. The authentication can be enabled on different IS-IS levels independently. The
interface-related PDUs (LAN Hello, Serial Hello, CSNP, and PSNP) can be enabled with authentication
on different interfaces, with different levels and different passwords.
IS-IS HMAC-MD5 authentication or the clear text password authentication can be applied to all five
types of PDU. The authentication can be enabled on different IS-IS levels independently. The
interface-related PDUs (LAN Hello, Serial Hello, CSNP, and PSNP) can be enabled with authentication
on different interfaces, with different levels and different passwords.
The HMAC-MD5 mode cannot be mixed with the clear text mode on the same authentication scope (LSP
or interface). However, administrators can use one mode for LSP and another mode for some interfaces,
for example. If mixed modes are intended, different keys should be used for different modes in order not
to compromise the encrypted password in the PDUs.
or interface). However, administrators can use one mode for LSP and another mode for some interfaces,
for example. If mixed modes are intended, different keys should be used for different modes in order not
to compromise the encrypted password in the PDUs.
Benefits of IS-IS HMAC-MD5 Authentication
•
IS-IS now supports MD5 authentication, which is more secure than clear text authentication.
•
MD5 authentication or clear text authentication can be enabled on Level 1 or Level 2 independently.
•
Passwords can be rolled over to new passwords without disrupting routing messages.
•
For the purpose of network transition, you can configure the networking device to accept PDUs
without authentication or with wrong authentication information, yet send PDUs with
authentication. Such transition might be because you are migrating from no authentication to some
type of authentication, you are changing authentication type, or you are changing keys.
without authentication or with wrong authentication information, yet send PDUs with
authentication. Such transition might be because you are migrating from no authentication to some
type of authentication, you are changing authentication type, or you are changing keys.
Benefits of IS-IS Clear Text Authentication
IS-IS clear text (plain text) authentication was formerly configured only by using the area-password or
domain-password command. Clear text authentication can now be configured using new commands that
cause passwords to be encrypted when the software configuration is displayed and make passwords
easier to manage and change.
domain-password command. Clear text authentication can now be configured using new commands that
cause passwords to be encrypted when the software configuration is displayed and make passwords
easier to manage and change.
How to Configure IS-IS HMAC-MD5 Authentication or Enhanced
Clear Text Authentication
Clear Text Authentication
The following sections describe configuration tasks for IS-IS authentication. The task you perform
depends on whether you are introducing authentication or migrating from an existing authentication
scheme.
depends on whether you are introducing authentication or migrating from an existing authentication
scheme.
•
(optional)
•
(optional)
•
(optional)