Downloads |
Table Of Contents
Enhancing Security in an IS-IS Network
Prerequisites for Enhancing Security in an IS-IS Network
Information About Enhancing Security in an IS-IS Network
Importance of Preventing Unauthorized Information from Entering an IS-IS Network
How to Enhance Security in an IS-IS Network
Setting an Authentication Password for each Interface
Setting an Area Password for each IS-IS Area
Configuring IS-IS Authentication
IS-IS Authentication Functionality
Benefits of IS-IS Clear Text Authentication
Benefits of IS-IS HMAC-MD5 Authentication
Configuring HMAC-MD5 Authentication or Clear Text Authentication for the First Time
Migrating to a New Authentication Type
Configuration Examples for Enhancing Security in an IS-IS Network
Configuring IS-IS HMAC-MD5 Authentication: Example
Configuring IS-IS Clear Text Authentication: Example
Feature Information for Enhancing Security in an IS-IS Network
Enhancing Security in an IS-IS Network
First Published: November 30, 2007Last Updated: May 5, 2008
This module describes processes that you can follow to enhance network security when you use Intermediate System-to-Intermediate System (IS-IS) in your network. You can set passwords, prevent unauthorized routers from forming adjacencies with routers in your IS-IS network, and use the IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication feature.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Enhancing Security in an IS-IS Network" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Enhancing Security in an IS-IS Network
•
•
•
•
Prerequisites for Enhancing Security in an IS-IS Network
•
•
Information About Enhancing Security in an IS-IS Network
Before you configure the features in this module, you should understand the following concept:
Importance of Preventing Unauthorized Information from Entering an IS-IS Network
Importance of Preventing Unauthorized Information from Entering an IS-IS Network
It is recommended that you configure the security features described in this module in order to prevent unauthorized routing messages from being placed into the network routing domain. You can set an authentication password for each interface, as well as set an area password for each IS-IS area to prevent unauthorized routers from injecting false routing information into the link-state database, or you can configure a type of IS-IS authentication—either IS-IS HMAC-MD5 or enhanced clear text authentication.
How to Enhance Security in an IS-IS Network
This module describes the following processes that can enhance your network security when you use IS-IS on your network:
•
•
•
Setting an Authentication Password for each Interface
Entering the isis password command enables you to prevent unauthorized routers from forming adjacencies with this router and thus protects the network from intruders.
Restrictions
The password is exchanged as plain text and thus provides only limited security.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Setting an Area Password for each IS-IS Area
This section contains the following tasks:
Setting a Password at Level 1
Perform this task to set an area password for each IS-IS area in your network. Using the area-password command on all routers in an area will prevent unauthorized routers from injecting false routing information into the link-state database.
This password is inserted in Level 1 protocol data unit (PDU) link-state PDUs (LSPs), complete sequence number PDUs (CSNPs), and partial sequence number PDUs (PSNPs).
Restrictions
This password is exchanged as plain text, and, thus, this feature provides only limited security.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Setting a Password at Level 2
Perform this task to set a Level 2 area password for each IS-IS area in your network. Using the domain-password command on all routers in an area will prevent unauthorized routers from injecting false routing information into the link-state database.
This password is inserted in Level 2 PDU link-state PDUs (LSPs), complete sequence number PDUs (CSNPs), and partial sequence number PDUs (PSNPs). If you specify the authenticate snp keyword along with either the validate or send-only keyword, the IS-IS routing protocol will insert the password into sequence number PDUs (SNPs).
Restrictions
This password is exchanged as plain text, and, thus, this feature provides only limited security.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring IS-IS Authentication
The following sections describe configuration tasks for IS-IS authentication. Two types of authentication are supported: IS-IS HMAC-MD5 and clear text. The task you perform depends on whether you are introducing authentication or migrating from an existing authentication scheme.
Before you can configure authentication, you must make the following decisions:
•
•
•
This section contains the following procedures:
•
•
Before you configure IS-IS HMAC-MD5 authentication or clear text authentication, you should understand the following concepts:
•
•
•
IS-IS Authentication Functionality
New style IS-IS authentication (IS-IS HMAC-MD5 and clear text) provides a number of advantages over the old style password configuration commands that were described in the previous sections, "Setting an Authentication Password for each Interface" section and "Setting an Area Password for each IS-IS Area" section.
•
•
•
•
IS-IS has five PDU types: link state PDU (LSP), LAN Hello, Point-to-Point Hello, complete sequence number PDU (CSNP), and partial sequence number PDU (PSNP). IS-IS HMAC-MD5 authentication or clear text password authentication can be applied to all five PDU types. The authentication can be enabled on different IS-IS levels independently. The interface-related PDUs (LAN Hello, Point-to-Point Hello, CSNP, and PSNP) can be enabled with authentication on different interfaces, with different levels and different passwords.
Either authentication mode or old password mode may be configured on a given scope (IS-IS instance or interface) and level—bit not both. However, different modes may be configured for different modes mat be configured for different scopes or levels. If mixed modes are intended, different keys should be used for different modes in order not to compromise the encrypted password in the PDUs.
Benefits of IS-IS Clear Text Authentication
IS-IS clear text (plain text) authentication provides the same functionality as is provided by using the area-password or domain-password command. However, use of clear text authentication takes advantage of the more flexible key management capabilities described above.
Benefits of IS-IS HMAC-MD5 Authentication
•
•
•
•
Configuring HMAC-MD5 Authentication or Clear Text Authentication for the First Time
This section contains the following tasks:
•
•
Configuring HMAC-MD5 or Clear Text Authentication for the IS-IS Instance
To achieve a smooth transition to authenticating IS-IS PDUs, perform the following steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
In order to use HMAC-MD5 or clear text authentication with encrypted keys, the Integrated IS-IS routing protocol must be configured.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DETAILED STEPS
Configuring HMAC-MD5 or Clear Text Authentication for an IS-IS Interface
To achieve a smooth transition to authenticating IS-IS PDUs, perform the following steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
key chain name-of-chain
Example:Router(config)# key chain multistate87723
Enables authentication for routing protocols and identifies a group of authentication keys.
Step 4
key key-id
Example:Router(config-keychain)# key 201
Identifies an authentication key on a key chain.
•
Step 5
key-string text
Example:Router(config-keychain-key)# key-string idaho
Specifies the authentication string for a key.
•
Step 6
exit
Example:Router(config-keychain-key)# exit
Returns to keychain configuration mode.
Step 7
exit
Example:Router(config-keychain)# exit
Returns to global configuration mode.
Step 8
interface type number
Example:Router(config)# interface ethernet 0
Configures an interface.
Step 9
isis authentication send-only [level-1 | level-2]
Example:Router(config-if)# isis authentication send-only
Specifies that authentication is performed only on PDUs being sent (not received) on a specified IS-IS interface.
Step 10
Repeat Steps 1 through 9 on each router that will communicate.
Use the same key string on each router.
Step 11
isis authentication mode {md5 | text} [level-1 | level-2]
Example:Router(config-if)# isis authentication mode md5
Specifies the type of authentication used for an IS-IS interface.
•
•
Step 12
isis authentication key-chain name-of-chain [level-1 | level-2]
Example:Router(config-if)# isis authentication key-chain multistate87723
Enables MD5 authentication for an IS-IS interface.
•
Step 13
Repeat Steps 11 and 12 on each router that will communicate.
—
Step 14
no isis authentication send-only
Example:Router(config-if)# no isis authentication send-only
Specifies that authentication is performed on PDUs being sent and received on a specified IS-IS interface.
Step 15
Repeat Step 14 on each router that will communicate.
—
Migrating to a New Authentication Type
Before you migrate from using one type of security authentication to another, all routers must be loaded with the new image that supports the new authentication type. The routers will continue to use the original authentication method until all routers have been loaded with the new image that supports the new authentication method, and all routers have been configured to use the new authentication method. Once all routers are loaded with the required image, you must follow the configuration steps for the desired new authentication method as described in the previous "Configuring HMAC-MD5 or Clear Text Authentication for the IS-IS Instance" section. You also must decide whether to configure authentication for the IS-IS area or for individual IS-IS interfaces. Both tasks are included in the referenced section.
Note
Before you migrate from your original authentication method to a new method, you should be familiar with the information in the following sections:
•
•
Migration from Old Clear Text Authentication to HMAC-MD5 Authentication
When you configure MD5 authentication, the area-password and domain-password command settings will be overridden automatically with the new authentication commands. When you configure MD5 authentication, the isis password command setting will be overridden automatically with the new authentication commands.
Migration from Old Clear Text Authentication to the New Clear Text Authentication
The benefits of migrating from the old method of clear text authentication to the new method of clear text authentication are as follows:
•
•
To migrate from your original authentication method to a new method, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Step 1
Step 2
Configuring Authentication on a New Router Being Added to a Network That Already Has Authentication Configured
Once your network is running authentication, you will need to configure authentication for any router that is later added to the network. Perform the following steps to configure authentication on the new router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
key chain name-of-chain
Example:Router(config)# key chain multistate87723
Enables authentication for routing protocols and identifies a group of authentication keys.
Step 4
key key-id
Example:Router(config-keychain)# key 201
Identifies an authentication key on a key chain.
•
Step 5
key-string text
Example:Router(config-keychain-key)# key-string idaho
Specifies the authentication string for a key.
•
Step 6
exit
Example:Router(config-keychain-key)# exit
Returns to keychain configuration mode.
Step 7
exit
Example:Router(config-keychain)# exit
Returns to global configuration mode.
Step 8
interface type number
Example:Router(config)# interface ethernet 0
Configures an interface.
Step 9
isis authentication mode {md5 | text} [level-1 | level-2]
Example:Router(config-if)# isis authentication mode md5
Specifies the type of authentication used for an IS-IS interface.
•
•
Step 10
isis authentication key-chain name-of-chain [level-1 | level-2]
Example:Router(config-if)# isis authentication key-chain multistate87723
Enables MD5 authentication for an IS-IS interface.
•
Configuration Examples for Enhancing Security in an IS-IS Network
This section provides the following configuration examples:
•
•
Configuring IS-IS HMAC-MD5 Authentication: Example
The following example configures a key chain and key for IS-IS HMAC-MD5 authentication for Ethernet interface 3 (on Hello PDUs) and for the IS-IS instance (on LSP, CSNP, and PSNP PDUs).
!key chain ciscokey 100key-string tasman-drive!interface Ethernet3ip address 10.1.1.1 255.255.255.252ip router isis real_secure_networkisis authentication mode md5 level-1isis authentication key-chain cisco level-1!router isis real_secure_networknet 49.0000.0101.0101.0101.00is-type level-1authentication mode md5 level-1authentication key-chain cisco level-1!Configuring IS-IS Clear Text Authentication: Example
The following example configures a key chain and key for IS-IS clear text authentication for Ethernet interface 3 (on Hello PDUs) and for the IS-IS instance (on LSP, CSNP, and PSNP PDUs).
!key chain ciscokey 100key-string tasman-drive!interface Ethernet3ip address 10.1.1.1 255.255.255.252ip router isis real_secure_networkisis authentication mode text level-1isis authentication key-chain cisco level-1!router isis real_secure_networknet 49.0000.0101.0101.0101.00is-type level-1authentication mode text level-1authentication key-chain cisco level-1!Additional References
The following sections provide references related to configuring IS-IS to enhance network security.
Related Documents
IS-IS commands: complete command syntax, command mode, defaults, command history, usage guidelines, and examples
Key chains and key management
•
•
Roadmap of IS-IS features
"Integrated IS-IS Features Roadmap" module
Overview of Cisco IS-IS conceptual information with links to all the individual IS-IS modules
Standards
RFCs
RFC 1321
The MD5 Message-Digest Algorithm
RFC 2104
HMAC: Keyed-Hashing for Message Authentication
RFC 3567
IS-IS Cryptographic Authentication
Technical Assistance
Feature Information for Enhancing Security in an IS-IS Network
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(13)T, 12.0(21)S, 12.2(11)S, or a later release appear in the table.
For information on a feature in this technology that is not documented here, see the "Integrated IS-IS Features Roadmap" module.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Enhancing Security in an IS-IS Network
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0804R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007-2008 Cisco Systems, Inc. All rights reserved.
