Information
IS-IS Neighbors should be authenticated.
Rationale:
Where it is deployed, IS-IS routing is vital for normal operation of an organization's network infrastructure. Correct route information is required for routers to correctly direct traffic through the network. An attacker posing as one of the target routers IS-IS neighbors may inject incorrect information into the route table resulting in DoS attack or loss of confidential data through a Man in the Middle attack.
On Juniper routers (as well as routers from other manufacturers such as Cisco or Brocade) it is possible to authenticate neighbors using either Simple authentication or a Keyed Hash Based Message Authentication Check using an MD5 digest of elements in PDU combined with a sequence number to protect against Replay attacks and confirm authenticity.
Simple authentication sends the configured password as clear-text and should never be used. MD5 HMAC based authentication sends only a one way hash in the packets, providing authentication without exposing sensitive date, so should be used instead.
Authentication is configured for each IS-IS Level. More fine grained authentication for Hello packets may also be set at the interface level.
Solution
If you have deployed IS-IS in your network you should use MD5 authentication for all neighbors at each IS-IS Level configured.
To configure MD5 authentication and the secret key to be used, issue the following commands from the [edit protocols isis] hierarchy:
[edit protocols isis]
user@host#set level <level> authentication-type md5
user@host#set level <level> authentication-key <key>
Default Value:
No IS-IS routing is configured by default.