Attack Behavior
Attackers can capture correct Hello packets or link state packets on a network, construct attack packets that Intermediate System to Intermediate System (IS-IS) can identify, and send these packets to switches.
Security Policy
IS-IS authentication is an encryption method implemented based on network security requirements to prevent the preceding attack.
-
Interface authentication: After IS-IS interface authentication is configured, authentication information can be encapsulated into Hello packets to check the validity and correctness of neighbor relationships.
-
Area or domain authentication: After area or domain authentication is configured, authentication passwords are encapsulated into IS-IS packets, and only authenticated packets are accepted.
The authentication method can be simple authentication, MD5 authentication, or HMAC-SHA256 authentication. Simple authentication and MD5 authentication have potential security risks. HMAC-SHA256 authentication is recommended.
Configuration Method
-
Configure interface authentication.
Set the HMAC-SHA256 authentication password to admin@huawei and key ID to 33 on VLANIF100.
<HUAWEI> system-view [HUAWEI] isis [HUAWEI-isis-1] network-entity 01.0000.0000.0001.00 [HUAWEI-isis-1] quit [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] isis enable 1 [HUAWEI-Vlanif100] isis authentication-mode hmac-sha256 key-id 33 cipher admin@huawei
-
Configure area or domain authentication.
-
Create IS-IS process 1.
<HUAWEI> system-view [HUAWEI] isis 1
-
Perform either of the following operations as required.
-
Area authentication: Set the authentication method to HMAC-SHA256, authentication password to admin@huawei, and key ID to 33.
[HUAWEI-isis-1] area-authentication-mode hmac-sha256 key-id 33 cipher admin@huawei -
Domain authentication: Set the authentication method to HMAC-SHA256, authentication password to admin@huawei, and key ID to 33
[HUAWEI-isis-1] domain-authentication-mode hmac-sha256 key-id 33 cipher admin@huawei
-
