From: Peter van Oene (pvo@usermail.com)
Date: Tue Feb 04 2003 - 15:17:16 GMT-3
At 09:53 AM 2/4/2003 +0000, Sage Vadi wrote:
>Peter,
>
>As I have said - this is a L1 AND L2 router.
Not sure what you mean here? I understand it is an L1L2 router, but why
the two nets? Most of your configurations thus far seem to indicate that
you are trying to make ISIS look like OSPF.
>Consequently does that mean that we can't use AREA
>authentication?
My understanding is that the IOS uses area-password to populate the TLV10
in L1 LSPs and domain-password to populate L2 LSPs. Of course, prior to
draft-ietf-isis-hmac-03.txt, ISIS carries the pw in clear text so it isn't
all that useful and subsequently not heavily used.
>PS - Domain Pass goes through all LSPs.
This doesn't jive with my understanding, though I don't have routers handy
to test. In ISIS, the domain usually refers to the set of L2 routers.
Here is an excerpt from 1195
The password shall be configured on a per-link, per-area, and per- domain
basis. Specifically, when this form of authentication is used: - IS-IS
Hello and 9542 IS Hello packets shall contain the per-link password -
Level 1 Link State Packets shall contain the per-area password -
Level 2 Link State Packets shall contain the per-domain password -
Level 1 Sequence Number Packets shall contain the per-area password -
Level 2 Sequence Number Packets shall contain the per-domain password
Here is similar text from draft-ietf-isis-hmac-03.txt
When calculating the HMAC-MD5 result for Sequence Number PDUs and IS-IS
HELLO PDUs, Level 1 Sequence Number PDUs SHALL use the Area Authentication
string as in Level 1 Link State PDUs. Level 2 Sequence Number PDUs shall
use the domain authentication string as in Level 2 Link State PDUs. IS-IS
HELLO PDUs SHALL use the Link Level Authentication String, which MAY be
different from that of Link State PDUs. The HMAC-MD5 result for the IS-IS
HELLO PDUs SHALL be calculated after the Packet is padded to the MTU size,
if padding is not disabled.
>Cheers,
>Sage
>
>
> --- Peter van Oene <pvo@usermail.com> wrote: > At
>08:19 AM 2/4/2003 +0000, Sage Vadi wrote:
> > >All,
> > >
> > >router isis
> > >net 56.7891.1ade.0001.7777.7777.7777.00
> > >net 56.7891.1ade.0003.7777.7777.7777.00
> > >redistribute isis ip level-1 into level-2 dist-list
> > x
> > >domain-password lol
> > >metric-style wide
> >
> > domain-password should populate L2 LSP's while
> > area-password populates L1
> > if I recall correctly. Any reason why the two
> > nets?
> >
> >
> >
> >
> > >Q) How would I enable AREA authentication for a
> > router
> > >that is both a Level1 and Level2 router. From
> > >documentation it seems that a AREA authentication
> > has
> > >to be configured for routers in the SAME area. Does
> > >that mean then - that a Level1/2 router cannot be
> > >configured with AREA authentication?
> > >
> > >Cheers,
> > >Sage
> > >
> > >__________________________________________________
> > >Do You Yahoo!?
> > >Everything you'll ever need on one web page
> > >from News and Sport to Email and Music Charts
> > >http://uk.my.yahoo.com
> > >.
> >
> >__________________________________________________________________
> > >To unsubscribe from the CCIELAB list, send a
> > message to
> > >majordomo@groupstudy.com with the body containing:
> > >unsubscribe ccielab
> >
> >
>
>__________________________________________________
>Do You Yahoo!?
>Everything you'll ever need on one web page
>from News and Sport to Email and Music Charts
>http://uk.my.yahoo.com
>.
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:07 GMT-3