Hmac Md5 Authentication; Md5 Authentication Example - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP-IPV6-IGP CONFIGURATION GUIDE 2010-10-31 Configuration Manual

JunosE 11.3.x IP, IPv6, and IGP Configuration Guide
322

HMAC MD5 Authentication

When you enable IS-IS HMAC MD5 authentication (also referred to as MD5
authentication), the router creates secure digests of the packets, encrypted according
to the HMAC MD5 message-digest algorithms. The digests are inserted into the packets
from which they are created. Depending on the commands you issue, the digests can be
inserted into hello packets, link-state PDUs, complete sequence number PDUs, and
partial sequence number PDUs.
You can configure an HMAC MD5 authentication key by using the following commands:
The area-message-digest-key command specifies an HMAC MD5 key that the router
uses to create a message digest of each level 1 packet—LSPs, CSNPs, and
PSNPs—transmitted by area routers. Using MD5 authentication for area routers protects
against unauthorized routers injecting false routing information into the area portions
of your network. This command also enables MD5 authentication of level 1 LSPs.
The domain-message-digest-key command specifies an HMAC MD5 key that the
router uses to create a message digest of each level 2 packet—LSPs, CSNPs, and
PSNPs—transmitted by domain routers. Using MD5 authentication for domain routers
protects against unauthorized routers injecting false routing information into the routing
domain portions of your network. This command also enables MD5 authentication of
level 2 LSPs.
The isis message-digest-key command specifies an HMAC MD5 key that the router
uses to create a message digest of level 1 or level 2 hello packets on the interface. Level
1 packets are the default. Using MD5 authentication on interfaces protects against
intrusion by preventing unauthorized routers from forming adjacencies with your router.
This command also enables MD5 authentication of level 1 or level 2 hello packets.
These commands enable MD5 authentication of LSPs and (for the isis
message-digest-key command) hello packets only; they do not enable authentication
of CSNP and PSNP packets. To enable authentication of CSNPs or PSNPs, you must
issue either the area-authentication command or the domain-authentication command.
For information, see "Enabling and Disabling Authentication of CSNPs and PSNPs" on
page 324.

MD5 Authentication Example

In the example shown in Figure 19 on page 323, authentication is configured on router LA
and router SanDiego, but not on router SanJose. Router LA and router SanDiego accept
packets from each other because they contain message digests generated by an accepted
key. Router SanJose accepts packets from router LA and router SanDiego, and simply
ignores the message digest included in their packets. Router LA and router SanDiego
reject packets from router SanJose because those packets do not include a message
digest.
Copyright © 2010, Juniper Networks, Inc.