 Feedback
|
Table Of Contents
IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
Prerequisites for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
Information About IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
Benefits of IS-IS HMAC-MD5 Authentication
Benefits of IS-IS Clear Text Authentication
How to Configure IS-IS HMAC-MD5 Authentication or Enhanced Clear Text Authentication
Configuring HMAC-MD5 Authentication or Clear Text Authentication for the First Time
Configuring HMAC-MD5 or Clear Text Authentication for the IS-IS Instance
Configuring HMAC-MD5 or Clear Text Authentication for an IS-IS Interface
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication for the IS-IS Instance
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication for an IS-IS Interface
Migrating from Old Clear Text Authentication to the New Clear Text Authentication
Configuration Examples for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
Configuring IS-IS HMAC-MD5 Authentication Example
Configuring IS-IS Clear Text Authentication Example
IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
The IS-IS HMAC-MD5 authentication feature adds an HMAC-MD5 digest to each Intermediate System-to-Intermediate System (IS-IS) protocol data unit (PDU). The digest allows authentication at the IS-IS routing protocol level, which prevents unauthorized routing message from being injected into the network routing domain. IS-IS clear text (plain text) authentication is enhanced so that passwords are encrypted when the software configuration is displayed and passwords are easier to manage and change.
Feature Specifications for the IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication Feature
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or Cisco Feature Navigator.
Contents
•
Prerequisites for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
•
•
•
Prerequisites for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
In order to use HMAC-MD5 or clear text authentication with encrypted keys, the Integrated IS-IS routing protocol must be configured.
Information About IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
Before you configure IS-IS HMAC-MD5 authentication or clear text authentication, you should understand the following concepts:
•
•
•
IS-IS HMAC-MD5 Authentication
The IS-IS HMAC-MD5 authentication feature adds an HMAC-MD5 digest to each IS-IS PDU. HMAC is a mechanism for message authentication codes (MACs) using cyptographic hash functions. The digest allows authentication at the IS-IS routing protocol level, which prevents unauthorized routing messages from being injected into the network routing domain.
IS-IS has five packet types: link state packet (LSP), LAN Hello, Serial Hello, CSNP, and PSNP. The IS-IS HMAC-MD5 authentication or the clear text password authentication can be applied to all five types of PDU. The authentication can be enabled on different IS-IS levels independently. The interface-related PDUs (LAN Hello, Serial Hello, CSNP, and PSNP) can be enabled with authentication on different interfaces, with different levels and different passwords.
The HMAC-MD5 mode cannot be mixed with the clear text mode on the same authentication scope (LSP or interface). However, administrators can use one mode for LSP and another mode for some interfaces, for example. If mixed modes are intended, different keys should be used for different modes in order not to compromise the encrypted password in the PDUs.
Benefits of IS-IS HMAC-MD5 Authentication
•
•
•
•
Benefits of IS-IS Clear Text Authentication
IS-IS clear text (plain text) authentication was formerly configured only by using the area-password or domain-password command. Clear text authentication can now be configured using new commands that cause passwords to be encrypted when the software configuration is displayed and make passwords easier to manage and change.
How to Configure IS-IS HMAC-MD5 Authentication or Enhanced Clear Text Authentication
The following sections describe configuration tasks for IS-IS authentication. The task you perform depends on whether you are introducing authentication or migrating from an existing authentication scheme.
•
•
•
Configuring HMAC-MD5 Authentication or Clear Text Authentication for the First Time
Before you can configure authentication, you must make the following decisions:
•
•
Configuring HMAC-MD5 or Clear Text Authentication for the IS-IS Instance
To achieve a smooth transition to authenticating IS-IS packets, perform the following steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
DETAILED STEPS
Configuring HMAC-MD5 or Clear Text Authentication for an IS-IS Interface
To achieve a smooth transition to authenticating IS-IS packets, perform the following steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
DETAILED STEPS
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication
When you are migrating from the old clear text authentication to HMAC-MD5 authentication, after you load the first router with an image that includes this feature, the router will continue to use the old clear text authentication with other routers on the network.
Note
Before you can configure authentication, you must decide whether to configure authentication for the IS-IS instance or for individual IS-IS interfaces (both tasks are in this section).
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication for the IS-IS Instance
To achieve a smooth transition to authenticating IS-IS packets, perform the following steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
When you configure the MD5 authentication, the area-password and domain-password command settings will be overridden automatically with the new authentication commands.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication for an IS-IS Interface
Prerequisites
Before you can migrate from the old method of clear text authentication to HMAC-MD5 authentication at the interface level, you must upgrade all the routers associated with the media of the interfaces to the new image containing the HMAC-MD5 feature.
To achieve a smooth transition to authenticating IS-IS packets, it is important to perform the steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
When you configure the MD5 authentication, the isis password command setting will be overridden automatically with the new authentication commands.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
DETAILED STEPS
Migrating from Old Clear Text Authentication to the New Clear Text Authentication
The benefits of migrating from the old method of clear text authentication to the new method of clear text authentication are as follows:
•
•
Before you can configure authentication, you must decide whether to configure authentication for the IS-IS instance or for individual IS-IS interfaces (both tasks are in this section).
Migrating from Old Clear Text Authentication to the New Clear Text Authentication for the IS-IS Instance
To achieve a smooth transition to authenticating LSPs, perform the following steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Migrating from Old Clear Text Authentication to the New Clear Text Authentication for an IS-IS Interface
This section describes how to configure authentication on interface-related PDUs.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DETAILED STEPS
Configuration Examples for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
This section provides the following configuration examples:
•
•
Configuring IS-IS HMAC-MD5 Authentication Example
The following example configures a key chain and key for IS-IS HMAC-MD5 authentication for Ethernet interface 3 (on Hello packets) and for the IS-IS instance (on LSP, CSNP, and PSNP packets):
!key chain ciscokey 100key-string tasman-drive!interface Ethernet3ip address 10.1.1.1 255.255.255.252ip router isis real_secure_networkisis authentication mode md5 level-1isis authentication key-chain cisco level-1!router isis real_secure_networknet 49.0000.0101.0101.0101.00is-type level-1authentication mode md5 level-1authentication key-chain cisco level-1!Configuring IS-IS Clear Text Authentication Example
The following example configures a key chain and key for IS-IS clear text authentication for Ethernet interface 3 (on Hello packets) and for the IS-IS instance (on LSP, CSNP, and PSNP packets):
!key chain ciscokey 100key-string tasman-drive!interface Ethernet3ip address 10.1.1.1 255.255.255.252ip router isis real_secure_networkisis authentication mode text level-1isis authentication key-chain cisco level-1!router isis real_secure_networknet 49.0000.0101.0101.0101.00is-type level-1authentication mode text level-1authentication key-chain cisco level-1!Additional References
For additional information related to IS-IS HMAC-MD5 authentication and clear text authentication, refer to the following references:
•
•
Related Documents
MIBs
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
1 Not all supported MIBs are listed.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
draft-ietf-isis-hmac-03.txt
IS-IS Cryptographic Authentication
RFC 1321
The MD5 Message-Digest Algorithm
RFC 2104
HMAC: Keyed-Hashing for Message Authentication
1 Not all supported RFCs are listed.
Technical Assistance
Command Reference
This section documents the following new commands related to IS-IS HMAC-MD5 authentication. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•
•
This section also documents the following revised commands related to clear text authentication. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
area-password
To configure the IS-IS area authentication password, use the area-password command in router configuration mode. To disable the password, use the no form of this command.
area-password password [authenticate snp {validate | send-only}]
no area-password [password]
Syntax Description
Defaults
No area password is defined, and area password authentication is disabled.
Command Modes
Router configuration
Command History
10.0
This command was introduced.
12.0(21)ST
The authenticate snp, validate, and send-only keywords were added.
Usage Guidelines
Using the area-password command on all routers in an area will prevent unauthorized routers from injecting false routing information into the link-state database.
This password is exchanged as plain text and thus this feature provides only limited security.
This password is inserted in Level 1 (station router level) PDU link-state packets (LSPs), complete sequence number PDUs (CSNPs), and partial sequence number PDUs (PSNP).
If you do not specify the authenticate snp keyword along with either the validate or send-only keyword, then the IS-IS routing protocol does not insert the password into SNPs.
Examples
The following example assigns an area authentication password and specifies that the password be inserted in SNPs and checked in SNPs that the system receives:
router isisarea-password track authenticate snp validateRelated Commands
Configures the IS-IS routing domain authentication password.
isis password
Configures the authentication password for an interface.
authentication key-chain
To enable authentication for Intermediate System-to-Intermediate System (IS-IS), use the authentication key-chain command in router configuration mode. To disable such authentication, use the no form of this command.
authentication key-chain name-of-chain [level-1 | level-2]
no authentication key-chain name-of-chain [level-1 | level-2]
Syntax Description
Defaults
No key chain authentication is provided for IS-IS packets at the router level.
Command Modes
Router configuration
Command History
Usage Guidelines
If no key chain is configured with the key chain command, no key chain authentication is performed.
Key chain authentication could apply to clear text authentication or MD5 authentication. The mode is determined by the authentication mode command.
Only one authentication key chain is applied to IS-IS at one time. That is, if you configure a second authentication key-chain command, the first is overridden.
If neither the level-1 nor level-2 keyword is configured, the chain applies to both levels.
You can specify authentication for an individual IS-IS interface by using the isis authentication key-chain command.
Examples
The following example configures IS-IS to accept and send any key belonging to the key chain named site1:
router isis real_secure_networknet 49.0000.0101.0101.0101.00is-type level-1authentication mode md5 level-1authentication key-chain site1 level-1Related Commands
authentication mode
To specify the type of authentication used in IS-IS packets for the IS-IS instance, use the authentication mode command in router configuration mode. To restore clear text authentication, use the no form of this command.
authentication mode {md5 | text} [level-1 | level-2]
no authentication mode
Syntax Description
Defaults
No authentication is provided for IS-IS packets at the router level by use of this command, although clear text (plain text) authentication could be configured by other means, such as the area-password command or the domain-password command.
Command Modes
Router configuration
Command History
Usage Guidelines
If neither the level-1 nor level-2 keyword is configured, the mode applies to both levels.
You can specify the type of authentication and the level to which it applies for a single IS-IS interface, rather than per IS-IS instance, by using the isis authentication mode command.
If you had clear text authentication configured by using the area-password or domain-password command, the authentication mode command overrides both of those commands.
If you configure the authentication mode command and subsequently try to configure the area-password or domain-password command, you will not be allowed to do so. If you truly want to configure clear text authentication using the area-password or domain-password command, you must use the no authentication mode command first.
Examples
The following example configures for the IS-IS instance that MD5 authentication is performed on Level 1 packets:
router isis real_secure_networknet 49.0000.0101.0101.0101.00is-type level-1authentication mode md5 level-1authentication key-chain cities level-1Related Commands
authentication send-only
To specify for the IS-IS instance that authentication is performed only on IS-IS packets being sent (not received), use the authentication send-only command in router configuration mode. To configure for the IS-IS instance that if authentication is configured at the router level, such authentication be performed on packets being sent and received, use the no form of this command.
authentication send-only [level-1 | level-2]
no authentication send-only
Syntax Description
Defaults
If authentication is configured at the router level, it applies to IS-IS packets being sent and received.
Command Modes
Router configuration
Command History
Usage Guidelines
Use this command before configuring the authentication mode and authentication key chain so that the implementation of authentication goes smoothly. That is, the routers will have more time for the keys to be configured on each router if authentication is inserted only on the packets being sent, not checked on packets being received. After all of the routers that must communicate are configured with this command, enable the authentication mode and key chain on each router. Then specify the no authentication send-only command to disable the send-only feature.
If neither the level-1 nor level-2 keyword is configured, the send-only feature applies to both levels.
This command could apply to clear text authentication or MD5 authentication. The mode is determined by the authentication mode command.
Examples
The following example configures IS-IS Level 1 packets to use clear text authentication on packets being sent (not received):
router isis real_secure_networknet 49.0000.0101.0101.0101.00is-type level-1authentication send-only level-1authentication mode text level-1authentication key-chain cities level-1Related Commands
debug isis authentication
To enable debugging of IS-IS authentication, use the debug isis authentication command in privileged EXEC mode. To disable such debug output, use the no form of this command.
debug isis authentication information
no debug isis authentication information
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Examples
The following example displays output from the debug isis authentication command with the information keyword:
Router# debug isis authentication information3d03h:ISIS-AuthInfo:No auth TLV found in received packet3d03h:ISIS-AuthInfo:No auth TLV found in received packetThe sample output indicates that the router has been running for 3 days and 3 hours. Debug output is about IS-IS authentication information. The local router is configured for authentication, but it received a packet that does not contain authentication data; the remote router does not have authentication configured.
domain-password
To configure the IS-IS routing domain authentication password, use the domain-password command in router configuration mode. To disable a password, use the no form of this command.
domain-password password [authenticate snp {validate | send-only}]
no domain-password [password]
Syntax Description
Defaults
No domain password is specified and no authentication is enabled for exchange of Level 2 routing information.
Command Modes
Router configuration
Command History
10.0
This command was introduced.
12.0(21)ST
The authenticate snp, validate, and send-only keywords were added.
Usage Guidelines
This password is exchanged as plain text and thus this feature provides only limited security.
This password is inserted in Level 2 (area router level) PDU link-state packets (LSPs), complete sequence number PDUs (CSNPs), and partial sequence number PDUs (PSNPs).
If you do not specify the authenticate snp keyword along with either the validate or send-only keyword, then the IS-IS routing protocol does not insert the password into SNPs.
Examples
The following example assigns an authentication password to the routing domain and specifies that the password be inserted in SNPs and checked in SNPs that the system receives:
router isisdomain-password users2j45 authenticate snp validateRelated Commands
Configures the IS-IS area authentication password.
isis password
Configures the authentication password for an interface.
isis authentication key-chain
To enable authentication for an IS-IS interface, use the isis authentication key-chain command in interface configuration mode. To disable such authentication, use the no form of this command.
isis authentication key-chain name-of-chain [level-1 | level-2]
no isis authentication key-chain name-of-chain [level-1 | level-2]
Syntax Description
Defaults
No key chain authentication is configured for a specific IS-IS interface, although it might be configured at the IS-IS instance level.
Command Modes
Interface configuration
Command History
Usage Guidelines
If no key chain is configured with the key chain command, no key chain authentication is performed.
Only one authentication key chain is applied to an IS-IS interface at one time. That is, if you configure a second isis authentication key-chain command, the first is overridden.
If neither the level-1 nor level-2 keyword is configured, the chain applies to both levels.
You can specify authentication for an entire instance of IS-IS instead of at the interface level by using the authentication key-chain command.
Examples
The following example configures Ethernet interface 0 to accept and send any key belonging to the key chain named trees:
interface Ethernet0ip address 10.1.1.1 255.255.255.252ip router isis real_secure_networkisis authentication mode md5 level-1isis authentication key-chain trees level-1Related Commands
Enables authentication for IS-IS at the instance level.
key chain
Enables authentication for routing protocols.
isis authentication mode
To specify the type of authentication used for an IS-IS interface, use the isis authentication mode command in interface configuration mode. To restore clear text authentication, use the no form of this command.
isis authentication mode {md5 | text} [level-1 | level-2]
no isis authentication mode
Syntax Description
Defaults
No authentication is provided for IS-IS packets on an interface level, although authentication could be provided at the IS-IS instance level by several means.
Command Modes
Interface configuration
Command History
Usage Guidelines
If neither the level-1 nor level-2 keyword is configured, the mode applies to both levels.
If you had clear text authentication configured by using the area-password or domain-password command, the authentication mode command overrides both of those commands.
If you configure the isis authentication mode command and subsequently try to configure the area-password or domain-password command, you will not be allowed to do so. If you truly want to configure clear text authentication using the area-password or domain-password command, you must use the no isis authentication mode command first.
You can specify the type of authentication and the level to which it applies for the entire IS-IS instance, rather than per interface, by using the authentication mode command.
Examples
The following example configures IS-IS Level 2 packets to use MD5 authentication on Ethernet interface 0:
interface Ethernet0ip address 10.1.1.1 255.255.255.252ip router isis real_secure_networkisis authentication mode md5 level-2isis authentication key-chain cisco level-2Related Commands
isis authentication send-only
To specify that authentication is performed only on packets being sent (not received) on a specified IS-IS interface, use the isis authentication send-only command in interface configuration mode. To restore the default value, use the no form of this command.
isis authentication send-only [level-1 | level-2]
no isis authentication send-only
Syntax Description
Defaults
If MD5 authentication is configured at the interface level, it applies to IS-IS packets being sent and received over all interfaces.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command before configuring the authentication mode and authentication key chain so that the implementation of authentication goes smoothly. That is, the routers will have more time for the keys to be configured on each router if authentication is inserted only on the packets being sent, not checked on packets being received. After all of the routers that must communicate are configured with this command, enable the authentication mode and key chain on each router. Then specify the no isis authentication send-only command to disable the send-only feature.
If neither the level-1 nor level-2 keyword is configured, the send-only feature applies to both levels.
Examples
The following example configures IS-IS Level-1 packets to use MD5 authentication on packets being sent (not received) on Ethernet interface 0:
interface Ethernet0ip address 10.1.1.1 255.255.255.252ip router isis real_secure_networkisis authentication send-only level-1isis authentication mode md5 level-1isis authentication key-chain cisco level-1Related Commands
