No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Feature Description - WAN Access 01

This is ME60 V800R010C10SPC500 Feature Description - WAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IS-IS Authentication

IS-IS Authentication

Background

As the Internet develops, more data, voice, and video information are exchanged over the Internet. New services, such as e-commerce, online conferencing and auctions, video on demand, and distance learning, emerge gradually. The new services have high requirements for network security. Carriers need to prevent data packets from being intercepted or modified by attackers or unauthorized users. IS-IS authentication applies to the area or interface where packets need to be protected. Using IS-IS authentication enhances system security and helps carriers provide safe network services.

Related Concepts

Authentication Classification

Based on packet types, the authentication is classified as follows:

  • Interface authentication: is configured in the interface view to authenticate Level-1 and Level-2 IS-to-IS Hello PDUs (IIHs).

  • Area authentication: is configured in the IS-IS process view to authenticate Level-1 CSNPs, PSNPs, and LSPs.

  • Routing domain authentication: is configured in the IS-IS process view to authenticate Level-2 CSNPS, PSNPs, and LSPs.

Based on the authentication modes of packets, the authentication is classified into the following types:

  • Simple authentication: The authenticated party directly adds the configured password to packets for authentication. This authentication mode provides the lowest password security.

  • MD5 authentication: uses the MD5 algorithm to encrypt a password before adding the password to the packet, which improves password security.

  • Keychain authentication: further improves network security with a configurable key chain that changes with time.

  • HMAC-SHA256 authentication: uses the HMAC-SHA256 algorithm to encrypt a password before adding the password to the packet, which improves password security.

Implementation

IS-IS authentication encrypts IS-IS packets by adding the authentication field to packets to ensure network security. After receiving IS-IS packets from a remote router, a local router discards the packets if the authentication passwords in the packets are different from the locally configured one. This mechanism protects the local router.

IS-IS provides a type-length-value (TLV) to carry authentication information. The TLV components are as follows:

  • Type: indicates the type of a packet, which is 1 byte. The value defined by ISO is 10, whereas the value defined by IP is 133.

  • Length: indicates the length of the authentication TLV, which is 1 byte.

  • Value: indicates the authentication information, including authentication type and authenticated password, which ranges from 1 to 254 bytes. The authentication type is 1 byte:

    • 0: reserved
    • 1: simple authentication
    • 3: general authentication, and only HMAC-SHA256 authentication currently
    • 54: MD5 authentication
    • 255: private authentication

Interface Authentication

Authentication passwords for IIHs are saved on interfaces. The interfaces send authentication packets with the authentication TLV. Interconnected router interfaces must be configured with the same password.

Area Authentication

Every router in an IS-IS area must use the same authentication mode and have the same key chain.

Routing Domain Authentication

Every Level-2 or Level-1-2 router in an IS-IS area must use the same authentication mode and have the same key chain.

For area authentication and routing domain authentication, you can set a router to authenticate SNPs and LSPs separately in the following ways:

  • A router sends LSPs and SNPs that carry the authentication TLV and verifies the authentication information of the LSPs and SNPs it receives.

  • A router sends LSPs that carry the authentication TLV and verifies the authentication information of the LSPs it receives. The router sends SNPs that carry the authentication TLV and does not verify the authentication information of the SNPs it receives.

  • A router sends LSPs that carry the authentication TLV and verifies the authentication information of the LSPs it receives. The router sends SNPs without the authentication TLV and does not verify the authentication information of the SNPs it receives.

  • A router sends LSPs and SNPs that carry the authentication TLV but does not verify the authentication information of the LSPs and SNPs it receives.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059473

Views: 15548

Downloads: 10

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next