The Complete IS-IS Routing Protocol- P13

The Complete IS-IS Routing Protocol- P13:IS-IS has always been my favourite Interior Gateway Protocol. Its elegant simplicity, itswell-structured data formats, its flexibility and easy extensibility are all appealing – IS-ISepitomizes link-state routing. Whether for this reason or others, IS-IS is the IGP of choicein some of the world’s largest networks. Thus, if one is at all interested in routing, it is wellworth the time and effort to learn IS-IS.
Nội dung trích xuất từ tài liệu:
The Complete IS-IS Routing Protocol- P13350 13. IS-IS Extensionshannes@Frankfurt> show isis database extensive[ … ] TLVs: Area address: 49.0001 (3) Speaks: IP, IPv6 IP router id: 192.168.1.18 IP address: 192.168.1.18 Hostname: Stockholm IS neighbor: Frankfurt.00, Metric: 1 IP address: 172.16.33.45[ … ]IOS command outputLondon#show isis database verbose 1921.6800.1047.00-00IS-IS Level-2 Link State Database:LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL1921.6800. * 0x00000040 0xD323 491 0/0/0 1047.00-00 Area Address: 49.0001 NLPID: 0x81 IS neighbor: Vienna.02, Metric: 63[ … ] The LSP shown in the IOS command output does not contain the Hostname TLV. Asit does not list any IP-related TLVs it may be that this is a CLNS-only router that is prob-ably running older software that does not support the Hostname TLV. If the hostnames made their way into the hostname cache, then all IS-IS occurrences of theSystem-ID are replaced using their respective name. See Table 13.1 for how Pennsauken’sSystem, Node and LSP-IDs are represented using the new name resolution service. Today IS-IS is one of the most convenient routing protocols. It aids the network engin-eer and troubleshooter by offering a kind of distributed name service. All of the IS-IS-related display functions like displaying adjacencies, examining the link-state databaseor logging functions make use of a System-ID to hostname translation cache and displaySystem-IDs, Node-IDs and LSP-IDs with their name rather than their hexadecimal rep-resentation. The next extension to IS-IS will cover the authentication scheme of LSPs and theirimplementation. Authenticating Routing Information 35113.2 Authenticating Routing InformationAuthenticating routing protocol messages is a basic building block for every networksecurity strategy. Some people argue that authentication is pushing the envelope forIS-IS since all the messages run natively on Layer 2, which means that the protocolcannot be exposed to a remote attack from the Internet because there is simply no possi-bility for transporting a Layer-2 frame over the Layer-3 infrastructure. This is justanother way to say “you can’t route a frame”. An attacker needs to have local, physical access to inject malicious information.Others argue that an additional barrier like authentication helps to keep out the errorsintroduced by, for example, unskilled NOC personnel. One application is that new IS-ISadjacencies cannot be created on an interface without knowing the password beforehand(this is just one example). Both attacks and errors are cases where the use of authenticating PDUs makes sense.ISO 10589 defines a dedicated Authentication TLV for confirming the authenticity of thePDU. Figure 13.2 shows the structure of this TLV. The Authentication TLV uses a field called Authentication Type to further indicatehow the password is encoded. Currently there are two encoding methods defined:• Simple Text Authentication• HMAC-MD5 The left-hand side of Figure 13.2 shows the formatting of the TLV if Simple TextAuthentication is used. The password is a free-form string that can be between 1 and 254bytes in size. On the right-hand side there is the formatting of TLV #10 if HMAC-MD5Authentication is used. The size is fixed to 16 bytes and contains a MD5 sum of the entirepacket. Bytes Bytes Type 10 1 Type 10 1 Length 1 Length 17 1 Authentication Type 1 1 Authentication Type 17 1 Plain Text Password 1–254 HMAC-MD5 Password 16FIGURE 13.2. The Authentication TLV #10 supports two different authentication types13.2.1 Simple Text AuthenticationCode point 1 indicates simple text encoding of the password. Simple text encodingmeans that the password is encoded clear text. The following tcpdump output shows thatthe password contained in the IIH is transported clear text over the circuit.352 13. IS-IS Extensions Amsterdam.00 Ethernet Stockholm.00 Broadcast IS-IS PDU Server ServerFIGURE 13.3. Each device connected to the LAN infrastructure receives IS-IS-related messagesbecause the Destination MAC address has the Broadcast Bit setTcpdump output11:35:23.248504 OSI, IS-IS, length: 52 p2p IIH, hlen: 20, v: 1, pdu-v: 1, sys-id-len: 6 (0), max-area: 3 (0) source-id: 1921.6800.1009, holding time: 27s, Flags: [Level 2 only] circuit-id: 0x01, PDU length: 52 Point-to-point Adjacency State TLV #240, length: 1 Adjacency State: Up (0) Protocols supported TLV #129, length: 2 NLPID(s): IPv4 (0xcc), IPv6 (0x8e) IPv4 Interface address(es) TLV #132, length: 4 IPv4 interface address: 172.16.33.6 Area address(es) TLV #1, length: 4 Area address (length: 3): 49.0001 Authentication TLV #10, length: 11 simple text password: LeiaOrgana The dilemma of clear text passwords is obvious, and more so if routers are connectedvia broadcast circuits. Consider Figure 13.3 – routers and servers are connected over a LANinfrastructure like, for example, Ethernet Switches. Recall from Chapter 4, “IS-IS Basics”,that all the IS-IS messages on LANs are sent using functional MAC addresses AllL1ISs(0180:c200:0014) for Level 1 PDUs and AllL2ISs (0180:c200:0015) ...