ON THIS PAGE
Example: Configuring Hitless Authentication Key Rollover for IS-IS
This example shows how to configure hitless authentication key rollover for IS-IS.
Requirements
No special configuration beyond device initialization is required before configuring hitless authentication key rollover for IS-IS.
Overview
Authentication guarantees that only trusted routers participate in routing updates. This keychain authentication method is referred to as hitless because the keys roll over from one to the next without resetting any peering sessions or interrupting the routing protocol. Junos OS supports both RFC 5304, IS-IS Cryptographic Authentication and RFC 5310, IS-IS Generic Cryptographic Authentication.
This example includes the following statements for configuring the keychain:
-
algorithm—For each key in the keychain, you can specify an encryption algorithm. The algorithm can be SHA-1 or MD-5.
-
key—A keychain can have multiple keys. Each key within a keychain must be identified by a unique integer value. The range of valid identifier values is from 0 through 63.
-
key-chain—For each keychain, you must specify a name. This example defines two keychains: base-key-global and base-key-inter.
-
options—For each key in the keychain, you can specify the encoding for the message authentication code:isis-enhanced or basic. The basic (RFC 5304) operation is enabled by default.
When you configure the isis-enhanced option, Junos OS sends RFC 5310-encoded routing protocol packets and accepts both RFC 5304-encoded and RFC 5310-encoded routing protocol packets that are received from other devices.
When you configure basic (or do not include the options statement in the key configuration) Junos OS sends and receives RFC 5304-encoded routing protocols packets, and drops 5310-encoded routing protocol packets that are received from other devices.
Because this setting is for IS-IS only, the TCP and the BFD protocols ignore the encoding option configured in the key.
-
secret—For each key in the keychain, you must set a secret password. This password can be entered in either encrypted or plain text format in the secret statement. It is always displayed in encrypted format.
-
start-time—Each key must specify a start time based on UTC using the ISO 8601 format. Control gets passed from one key to the next. When a configured start time arrives (based on the routing device’s clock), the key with that start time becomes active. Start times are specified in the local time zone for a routing device and must be unique within the key chain.
You can apply a keychain globally to all interfaces or more granularly to specific interfaces.
This example includes the following statements for applying the keychain to all interfaces or to particular interfaces:
-
authentication-key-chain—Enables you to apply a keychain at the global IS-IS level for all Level 1 or all Level 2 interfaces.
-
hello-authentication-key-chain—Enables you to apply a keychain at the individual IS-IS interface level. The interface configuration overrides the global configuration.
Topology
Figure 1 shows the topology used in the example.
This example shows the configuration for Router R0.
Configuration
Procedure
CLI Quick Configuration for R0
To quickly configure the hitless authentication key rollover for IS-IS, copy the following commands and paste the commands into the CLI.
[edit] set interfaces ge-0/0/0 unit 0 description "interface A" set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/30 set interfaces ge-0/0/0 unit 0 family iso set interfaces ge-0/0/0 unit 0 family inet6 address fe80::200:f8ff:fe21:67cf/128 set interfaces ge-0/0/1 unit 0 description "interface B" set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.5/30 set interfaces ge-0/0/1 unit 0 family iso set interfaces ge-0/0/1 unit 0 family inet6 address 10FB::C:ABC:1F0C:44DA/128 set interfaces ge-0/0/2 unit 0 description "interface C" set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.9/30 set interfaces ge-0/0/2 unit 0 family iso set interfaces ge-0/0/2 unit 0 family inet6 address ff06::c3/128 set security authentication-key-chains key-chain base-key-global key 63 secret "$ABC123" set security authentication-key-chains key-chain base-key-global key 63 start-time "2011-8-6.06:54:00-0700" set security authentication-key-chains key-chain base-key-global key 63 algorithm hmac-sha-1 set security authentication-key-chains key-chain base-key-global key 63 options isis-enhanced set security authentication-key-chains key-chain base-key-global key 64 secret "$ABC1234" set security authentication-key-chains key-chain base-key-global key 64 start-time "2011-10-6.06:54:00-0700" set security authentication-key-chains key-chain base-key-global key 64 algorithm hmac-sha-1 set security authentication-key-chains key-chain base-key-global key 64 options isis-enhanced set security authentication-key-chains key-chain base-key-inter key 0 secret "$ABC123" set security authentication-key-chains key-chain base-key-inter key 0 start-time "2011-8-6.06:54:00-0700" set security authentication-key-chains key-chain base-key-inter key 0 algorithm md5 set security authentication-key-chains key-chain base-key-inter key 0 options basic set security authentication-key-chains key-chain base-key-inter key 1 secret "$ABC1234" set security authentication-key-chains key-chain base-key-inter key 1 start-time "2011-10-6.06:54:00-0700" set security authentication-key-chains key-chain base-key-inter key 1 algorithm md5 set security authentication-key-chains key-chain base-key-inter key 1 options basic set protocols isis level 2 authentication-key-chain base-key-global set protocols isis interface ge-0/0/0.0 level 1 hello-authentication-key-chain base-key-inter
Step-by-Step Procedure
To configure hitless authentication key rollover for IS-IS:
-
Configure the Router R0 interfaces.
[edit] user@host# edit interfaces ge-0/0/0 unit 0 [edit interfaces ge-0/0/0 unit 0] user@host# set description "interface A" user@host# set family inet address 10.0.0.1/30 user@host# set family iso user@host# set family inet6 address fe80::200:f8ff:fe21:67cf/128 user@host# exit [edit] user@host# edit interfaces ge-0/0/1 unit 0 [edit interfaces ge-0/0/1 unit 0] user@host# set interfaces ge-0/0/1 unit 0 description "interface B" user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.5/30 user@host# set interfaces ge-0/0/1 unit 0 family iso user@host# set interfaces ge-0/0/1 unit 0 family inet6 address 10FB::C:ABC:1F0C:44DA/128 user@host# exit [edit] user@host# edit interfaces ge-0/0/2 unit 0 [edit interfaces ge-0/0/2 unit 0] user@host# set description "interface C" user@host# set family inet address 10.0.0.9/30 user@host# set interfaces ge-0/0/2 unit 0 family iso user@host# set interfaces ge-0/0/2 unit 0 family inet6 address ff06::c3/128 user@host# exit
-
Configure one or more authentication key chains and keys. In this example we demonstrate the use of both a global and interface level key chain, both having two keys. The global key chain is applied to all ISIS Level 2 interfaces. This key chain authenticates both hellos and LSP exchanges. The interface key chain is applied specifically to the ge-0/0/0 interface (Interface A) for ISIS Level 1 and is used only for authenticating hello exchanges.
[edit] user@host# edit security authentication-key-chains key-chain base-key-global [edit security authentication-key-chains key-chain base-key-global] user@host# set key 63 secret "$ABC123" user@host# set key 63 start-time "2011-8-6.06:54:00-0700" user@host# set key 63 algorithm hmac-sha-1 user@host# set key 63 options isis-enhanced user@host# set key 64 secret "$ABC1234" user@host# set key 64 start-time "2011-10-6.06:54:00-0700" user@host# set key 64 algorithm hmac-sha-1 user@host# set key 64 options isis-enhanced user@host# exit [edit] user@host# edit security authentication-key-chains key-chain base-key-inter [edit security authentication-key-chains key-chain base-key-inter] user@host# set key 0 secret "$ABC123" user@host# set key 0 start-time "2011-8-6.06:54:00-0700" user@host# set key 0 algorithm md5 user@host# set key 0 options basic user@host# set key 1 secret "$ABC1234" user@host# set key 1 start-time "2011-10-6.06:54:00-0700" user@host# set key 1 algorithm md5 user@host# set key 1 options basic user@host# exit
-
Apply the base-key-global key chain to all Level 2 ISIS interfaces on Router R0.
[edit] user@host# edit protocols isis level 2 [edit protocols isis level 1] set authentication-key-chain base-key-global user@host# exit
-
Apply the base-key-inter key chain for ISIS hello authentication at Level 1 to the ge-0/0/0.0 interface on Router R0.
[edit] user@host# edit protocols isis interface ge-0/0/0.0 level 1 [edit protocols isis interface ge-0/0/0.0 level 1] set hello-authentication-key-chain base-key-inter user@host# exit
-
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Results
Confirm your configuration by entering the show interfaces, show protocols, and show security commands.
user@host# show interfaces
ge-0/0/0 {
unit 0 {
description "interface A";
family inet {
address 10.0.0.1/30;
}
family iso;
family inet6 {
address fe80::200:f8ff:fe21:67cf/128;
}
}
}
ge-0/0/1 {
unit 0 {
description "interface B";
family inet {
address 10.0.0.5/30;
}
family iso;
family inet6 {
address 10FB::C:ABC:1F0C:44DA/128;
}
}
}
ge-0/0/2 {
unit 0 {
description "interface C";
family inet {
address 10.0.0.9/30;
}
family iso;
family inet6 {
address ff06::c3/128;
}
}
}
user@host# show protocols
isis {
level 2 authentication-key-chain base-key-global;
interface ge-0/0/0.0 {
level 1 hello-authentication-key-chain base-key-inter;
}
}
user@host# show security
authentication-key-chains {
key-chain base-key-global {
key 63 {
secret "ABC123”;
start-time "2011-8-6.06:54:00-0700";
algorithm hmac-sha-1;
options isis-enhanced;
}
key 64 {
secret "ABC1234”;
start-time "2011-10-6.06:54:00-0700";
algorithm hmac-sha-1;
options isis-enhanced;
}
key-chain base-key-inter {
key 0 {
secret "$ABC123”;
start-time "2011-8-6.06:54:00-0700";
algorithm md5;
options basic;
}
key 1 {
secret "$ABC1234”;
start-time "2011-10-6.06:54:00-0700";
algorithm md5;
options basic;
}
}
}
Verification
To verify the configuration, run the following commands:
-
show isis authentication
-
show security keychain