No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - IP Routing 01

This is ME60 V800R010C10SPC500 Configuration Guide - IP Routing
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Improving IS-IS Network Security

Improving IS-IS Network Security

On a network that requires high security, you can configure IS-IS authentication .

Usage Scenario

IS-IS authentication or optional checksum can improve IS-IS network security.
  • IS-IS authentication encapsulates authentication information into Hello packets, Link State Protocol Data Units (LSPs), and Sequence Number Protocol Data Units (SNPs). After an IS-IS device receives the packets, it checks whether the encapsulated authentication information is correct. The IS-IS device only accepts the packets with correct authentication information. The authentication mechanism enhances IS-IS network security. IS-IS authentication consists of area authentication, routing domain authentication, and interface authentication.

    IS-IS authentication ensures that the data is correctly transmitted at the network layer.

  • IS-IS optional checksum encapsulates checksum Type-Length-Values (TLVs) into SNPs and Hello packets. After an IS-IS device receives the packets, it checks whether the checksum TLVs are correct. The IS-IS device only accepts the packets with correct checksum TLVs. The authentication mechanism enhances IS-IS network security.

    IS-IS optional checksum ensures that the data is correctly transmitted at the link layer.

Pre-configuration Tasks

Before configuring IS-IS authentication, complete the following tasks:

Configuration Procedures

Perform one or more of the following configurations as required.

Configuring IS-IS Authentication

After IS-IS authentication is configured, authentication information can be encapsulated into LSPs and SNPs for authentication. By default, authentication is not configured for IS-IS. Configuring authentication is recommended to ensure system security.

Context

Generally, IS-IS packets do not carry authentication information, and received packets are not authenticated. If a user sends malicious packets to attack a network, information on the entire network may be stolen. To address this issue, you can configure IS-IS authentication to improve the network security. Three IS-IS authentication modes and the usage scenarios are as follows:
  • Area authentication: Authentication passwords are encapsulated into IS-IS packets in Level-1 areas. The receiver only accepts the packets that have been authenticated. Therefore, you need to configure IS-IS area authentication to authenticate packets in Level-1 areas.

  • Routing domain authentication: Authentication passwords are encapsulated into IS-IS packets in Level-2 areas. The receiver only accepts the packets that have been authenticated. Therefore, you need to configure IS-IS routing domain authentication to authenticate packets in Level-2 areas.

  • Interface authentication: The authentication information is encapsulated into IS-IS Hello packets. A neighbor relationship can be established only after IS-IS Hello packets are authenticated. Therefore, you need to configure interface authentication to authenticate neighbors.

NOTE:

When configuring IS-IS authentication, the authentication mode and passwords of the routers in the same area must be consistent so that IS-IS packets can be flooded normally.

An IS-IS neighbor relationship cannot be established if interface authentication fails. An IS-IS neighbor relationship can be established regardless of whether IS-IS area or routing domain authentication succeeds.

When configuring an authentication password, select the ciphertext mode becasue the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.

Procedure

  • Configure IS-IS area authentication.
    1. Run system-view

      The system view is displayed.

    2. Run isis [ process-id ]

      The IS-IS view is displayed.

    3. Run area-authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      Or area-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      Or area-authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      The area authentication mode is configured.

      If the area-authentication-mode command is run, all Level-1 LSPs in the local LSDB that fail to be authenticated and the newly received Level-1 LSPs and SNPs that fail to be authenticated will be discarded. Therefore, to prevent the original Level-1 LSPs from being discarded, specify send-only in the command.

      To ensure high security, do not use the MD5 algorithm. It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.

      IS-IS authentication involves the following situations:
      • The device encapsulates the authentication mode into LSPs and SNPs to be sent and authenticate received LSPs and SNPs. The LSPs and SNPs that cannot be authenticated are discarded. In this case, the parameter snp-packet or all-send-only is not specified.

      • The device encapsulates authentication information into LSPs to be sent and authenticate received LSPs but neither encapsulates the SNPs to be sent with authentication information nor authenticate received SNPs. In this case, the parameter snp-packet authentication-avoid needs to be specified.

      • The device encapsulates the LSPs and SNPs to be sent with authentication information but authenticate only the received LSPs. In this case, the parameter snp-packet send-only needs to be specified.

      • The device encapsulates the LSPs and SNPs to be sent with authentication information but does not authenticate received LSPs or SNPs. In this case, the parameter all-send-only needs to be specified.

    4. Run commit

      The configuration is committed.

  • Configure IS-IS routing domain authentication.
    1. Run system-view

      The system view is displayed.

    2. Run isis [ process-id ]

      The IS-IS view is displayed.

    3. Run domain-authentication-mode { simple { plain plain-text | cipher plain-cipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      Or domain-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      Or domain-authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ snp-packet { authentication-avoid | send-only } | all-send-only ]

      The routing domain authentication mode is configured.

      If the domain-authentication-mode command is run, all Level-2 LSPs in the local LSDB that fail to be authenticated and the newly received Level-2 LSPs and SNPs that fail to be authenticated will be discarded. Therefore, to prevent the original Level-2 LSPs from being discarded, specify send-only in the command.

      To ensure high security, do not use the MD5 algorithm. It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.

      IS-IS authentication involves the following situations:
      • The device encapsulates the authentication mode into LSPs and SNPs to be sent and authenticate received LSPs and SNPs. The LSPs and SNPs that cannot be authenticated are discarded. In this case, the parameter snp-packet or all-send-only is not specified.

      • The device encapsulates authentication information into LSPs to be sent and authenticate received LSPs but neither encapsulates the SNPs to be sent with authentication information nor authenticate received SNPs. In this case, the parameter snp-packet authentication-avoid needs to be specified.

      • The device encapsulates the LSPs and SNPs to be sent with authentication information but authenticate only the received LSPs. In this case, the parameter snp-packet send-only needs to be specified.

      • The device encapsulates the LSPs and SNPs to be sent with authentication information but does not authenticate received LSPs or SNPs. In this case, the parameter all-send-only needs to be specified.

    4. Run commit

      The configuration is committed.

  • Configure IS-IS interface authentication.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run isis authentication-mode { simple { plain plain-text | cipher plain-cipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]

      Or isis authentication-mode keychain keychain-name [ Level-1 areas | level-2 ] [ send-only ]

      Or isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ send-only ]

      The IS-IS authentication mode and password are configured on the interface.

      NOTE:

      To ensure high security, do not use the MD5 algorithm. It is recommended that you enable authentication and use the HMAC-SHA256 algorithm to improve security, preventing route information from being modified by unauthorized users.

      When you select parameters, note the following rules:
      • If send-only is specified, the ME device encapsulates authentication information to Hello packets to be sent but does not authenticate received Hello packets. The neighbor relationships can be set up when the authentication is not required or packets are authenticated.

      • If send-only is not configured, ensure that passwords of all interfaces with the same level in the same network are consistent.

      • Level-1 areas and level-2 can be set only on Ethernet interfaces.

      • When IS-IS interfaces are Level-1-2 interfaces and Level-1 areas or level-2 is not specified in the command, authentication modes and passwords are configured for both Level-1 areas and Level-2 Hello packets.

    4. Run commit

      The configuration is committed.

Configuring the Optional Checksum

The optional checksum encapsulates optional checksum Type-Length-Values (TLVs) into SNPs and Hello packets. After an IS-IS device receives the packets, it checks whether the checksum TLVs are correct, which improves network security.

Context

The optional checksum encapsulates optional checksum TLVs into the Complete Sequence Numbers Protocol Data Units (CSNPs), Partial Sequence Number Protocol Data Units (PSNPs), and Hello packets sent by IS-IS devices. When the peer device receives the encapsulated packets, it checks whether TLVs carried in the packets are correct. If TLVs are not correct, the peer device discards the packets for network security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run isis

    An IS-IS process is created, and the IS-IS view is displayed.

  3. Run optional-checksum enableIS-IS optional checksum is enabled.

    NOTE:

    If MD5 authentication or Keychain authentication with valid MD5 authentication is configured on an IS-IS interface or area, IS-IS devices send Hello packets and SNP packets without checksum TLVs but verify the checksum of received packets.

  4. Run commit

    The configuration is committed.

Verifying the Configuration of Improving IS-IS Network Security

After improving IS-IS network security, check the information about IS-IS neighbors to determine whether the IS-IS authentication succeeds.

Prerequisites

Configurations have been performed to improve IS-IS network security.

Procedure

  1. Run the display isis lsdb verbose command to check the information about IS-IS LSDB.

Example

Run the display isis route verbose command. The command output shows that the authentication mode has been set to MD5, the password is set to abc, and that authentication configurations on both ends are the same.

[~HUAWEI] display isis lsdb verbose
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059437

Views: 20583

Downloads: 15

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next