From: Alexander Arsenyev (GU/ETL) (alexander.arsenyev@ericsson.com)
Date: Wed Apr 20 2005 - 09:44:43 GMT-3
Hello,
I believe ISIS interface authentication means the password (ok, it's a wrong word, TLV#10 would be more appropriate) is carried in ISIS Hellos only.
http://www.cisco.com/warp/public/97/isis_authent.html#intfaceauth
So 'configure authentication just on hellos' means ISIS interface authentication for me.
Also, I believe that one could separately toggle C(P)SNP authentication on/off with new "authenticate snp" keyword in "area password" and "domain password" IOS commands.
HTH,
Cheers
Alex
#13405
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
Sent: 20 April 2005 09:15
To: gladston@br.ibm.com
Cc: ccielab@groupstudy.com
Subject: RE: Isis authentication - New Feature
Hi Gladston,
I'd say yes, but it is a little tricky.
I think that formally all packets between the neighbors will be
authenticated, not just the hellos. There will not be any authentication
inside the LSPs themselves though, just on the packets between the
routers.
On the other hand as far as I know there's no way to tweak which packets
will be authenticated, so interface authentication is the best possible
answer.
Regards,
Tom Lijnse
CCIE#11031
Global Knowledge
_____
From: gladston@br.ibm.com [mailto:gladston@br.ibm.com]
Sent: dinsdag 19 april 2005 19:17
To: Tom Lijnse
Cc: ccielab@groupstudy.com
Subject: RE: Isis authentication - New Feature
Thanks a lot!!!
So, if the task says: --'Configure authentication just on hellos' --
would the new format configured just on interfaces do what was asked?
Cordially,
Gladston
"Tom Lijnse" <Tom.Lijnse@globalknowledge.nl>
19/04/2005 06:58
To
Alaerte Gladston Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com>
cc
Subject
RE: Isis authentication - New Feature
Hi,
Key to this is the last quote in your email:
quoted
When area authentication is configured, the password is carried in the
L1 LSPs...
With the old commands you had to be aware that "Area" authentication
means authentication of level-1 LSPs, "Domain" means authentication of
level-2 LSPs and authentication on the interface authenticates hellos.
So when a task requires "Area authentication" that means that you're
required to authenticate all level-1 LSPs for that area. In the new
syntax that is expressed by simply using the level-1 keyword under the
routing process like this:
router isis
authentication mode md5 level-1
authentication key-chain TEST level-1
Hope this helps,
Tom Lijnse
CCIE#11031
Global Knowledge
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: maandag 18 april 2005 22:34
To: ccielab@groupstudy.com
Subject: Isis authentication - New Feature
Do the Area and Domain authentication still make sense after the new
feature MD5 for ISIS authentication?
The explanation on DOC CD for this new feature does not talk about
Domain or Area authentication.
If it does, how would it be Area authentication using MD5?
I just found examples explaining MD5 authentication for interface and
routing process, and within the routing process there is no option for
domain or area.
Would a question like this be possible?
"Configure area authentication using MD5"
New Feature
====================
quoted
IS-IS has five packet types: link state packet (LSP), LAN Hello, Serial
Hello, CSNP, and PSNP. The IS-IS HMAC-MD5 authentication or the clear
text password authentication can be applied to all five types of PDU.
The authentication can be enabled on different IS-IS levels
independently. The interface-related PDUs (LAN Hello, Serial Hello,
CSNP, and PSNP) can be enabled with authentication on different
interfaces, with different levels and different passwords.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwf
t/release/122s14/ftismd5.htm
====================
===================
quoted
When area authentication is configured, the password is carried in the
L1 LSPs...
http://www.cisco.com/warp/public/97/isis_authent.html#areaauth
===================
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:03 GMT-3