Halting Md5 Authentication; Managing And Replacing Md5 Keys; Enabling And Disabling Authentication Of Csnps And Psnps - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP-IPV6-IGP CONFIGURATION GUIDE 2010-10-31 Configuration Manual

JunosE 11.3.x IP, IPv6, and IGP Configuration Guide
324
using key 1 to transmit packets. When the current time reaches 10:00:00, the router
begins using key 2 to transmit packets; key 1 is no longer used. Key 2 will continue to be
used until a new key is configured and the new key's startGenTime matches the current
time on the router.
host1(config-router)#area-message-digest-key 1 hmac-md5 mr942s7n start-accept
08:00:00 start-generate 9:00:00 stop-accept 23:00:00 stop-generate 22:59:59
host1(config-router)#area-message-digest-key 2 hmac-md5 dsb38h5f start-accept
08:00:00 start-generate 10:00:00 stop-accept 23:00:00 stop-generate 22:59:59

Halting MD5 Authentication

To prevent key expiration from causing your network to revert to an unauthenticated
condition, you cannot halt MD5 authentication by using the timers. When the stopGenTime
time for a key is reached, the router does not stop generating the key if it was the last key
issued. You must delete all keys to halt authentication. Use the no version of the command
to delete a key.

Managing and Replacing MD5 Keys

A key has an infinite lifetime if you do not specify stopGenTime and stopAcceptTime.
(As noted previously, if the last key expires, the router continues to generate that key.)
Many system operators choose to change their keys on a regular basis, such as every
month. If you determine that a key is no longer secure, configure a new key immediately.
We recommend the following practice for configuring new keys:
Configure the new key on all routers in the IS-IS network.
1.
Verify that the new key is working.
2.
Delete the old key from every router.
3.
Each key has an associated key-ID that you specify. The key-ID is sent with the message
digest, so that the receiving routers know which key was used to generate the digest. You
also use the key-ID to delete a key.

Enabling and Disabling Authentication of CSNPs and PSNPs

When the E Series router interoperates with other vendors' routers in the same network,
you might want to enable or disable (suppress) authentication for some PDU types but
not for others. For example, some vendors' routing software might not authenticate any
PDUs, whereas other vendors' routing software might authenticate CSNPs and PSNPs
separately from LSPs.
To facilitate interoperability with other vendors' routers, the E Series router allows you
to enable and disable authentication of CSNPs and PSNPs separately from authentication
of LSPs by using the following commands:
The area-authentication { csnp | psnp } command enables or disables simple
authentication or HMAC MD5 authentication of IS-IS level 1 CSNP packets or PSNP
packets. By default, authentication of CSNPs and PSNPs is disabled.
The domain-authentication { csnp | psnp } command enables or disables simple
authentication or HMAC MD5 authentication of IS-IS level 2 CSNP packets or PSNP
packets. By default, authentication of CSNPs and PSNPs is disabled.
Copyright © 2010, Juniper Networks, Inc.