ISIS authentication allowing misconfigured neighbor to form adjacency

steven.crutchley · ‎03-12-2025

Hi all,

So I'm configuring ISIS authenticaton between an IOS-XE device and an IOS-XR device.
I made a mistake in my configuration in that I left out the line `cryptographic algorithm md5` on the IOS-XE (see config below).

But the ISIS came up! Routes were exchanged and LSDB was populated accordingly.

Shouldn't the mismatch cause the IOS-XR device to reject the peering because the IIH packets don't have a proper cryptographic algorithm applied? Seems pointless if I configure my XR with authenticaton to prevent malicious neighbors from peering with me and in order to get around that all I have to do is leave the cryptographic algorithm off the XE side....

IOS-XE SIDE
===============
router isis ISIS1
 net 49.0001.0001.1111.0200.0002.00
 is-type level-2-only
 authentication mode md5 level-2
 authentication key-chain ISIS-KEY level-2
 metric-style wide
 <snip>

interface GigabitEthernet1
 <snip>
 ip router isis ISIS1
 ipv6 router isis ISIS1
 isis network point-to-point 
 isis authentication mode md5
 isis authentication key-chain ISIS-KEY

key chain ISIS-KEY
 key 1
  key-string pa55w0rd
   accept-lifetime 18:00:00 Mar 1 2025 infinite
   send-lifetime 18:00:00 Mar 1 2025 infinite
   <<MISSING CRYPTO ALGO>>

IOS-XR SIDE
=============
key chain ISIS-KEY
 key 1
  accept-lifetime 18:00:00 march 1 2025 infinite
  key-string password 1227721321350FDW
  send-lifetime 18:00:00 march 1 2025 infinite
  cryptographic-algorithm HMAC-MD5
 !
 accept-tolerance infinite
!

router isis ISIS1
 is-type level-2-only
 net 49.0001.1111.0000.0200.0003.00
 lsp-password keychain ISIS-KEY
 address-family ipv4 unicast
  metric-style wide
 !
 address-family ipv6 unicast
  metric-style wide
 !
 <snip>

 interface GigabitEthernet0/0/0/3
  point-to-point
  hello-password keychain ISIS-KEY
  address-family ipv4 unicast
  !
  address-family ipv6 unicast
  !
 !        
!

XE-RTR#sh isis neighbors 

Tag CORE:
System Id       Type Interface     IP Address      State Holdtime Circuit Id
XR-RTR         L2   Gi1           10.10.39.3      UP    28       00
XE-RTR#

Harold Ritter · ‎03-12-2025

Hi @steven.crutchley ,

It works because on the IOS-XE side the "isis authentication mode" configured on the interface overrides the algorithm configured for the key chain. If you want the algorithm from the key chain to take effect, you need to remove the "isis authentication mode" from the interface.

Regards,

Harold

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

steven.crutchley · ‎03-13-2025

So with this configuration the XE side is not using a key chain at all?

Harold Ritter · ‎03-13-2025

Hi @steven.crutchley ,

Yes, it is using the key chain, but the algorithm from the "isis authentication mode md5" overrides whatever is configured in the key chain.

Regards,

Harold

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

steven.crutchley · ‎03-13-2025

So I've been running tests to determine what exact combination works for configuring key chain authentication.

See the attached image for a spreadsheet of what works.

By looking at the combination's that work I have determined the following if IOS-XE and IOS-XR are to perform IS-IS authentication using key chains:

`isis authentication mode md5` and `isis authentication key-chain <name>` must both be present under the interface on the IOS-XE device.
The encryption algorithm on the IOS-XE key chain doesn't matter - presumably because `isis authentication mode md5` overrides it (in fact I've tested with the key chain on IOS-XE have no crypto algorithm and it still works).
The encryption algorithm on the IOS-XR key chain must be HMAC-MD5. MD5 does not work.

This result has confused me a bit...

Firstly, it only works with with MD5 on IOS-XE and HMAC-MD5 on IOS-XR but not MD5 on both?
Secondly, is there no way to make the cryptographic algorithm listed under the key chain on the XE take effect?

I'm also seeing these logs on the IOS-XE when the neighborship is up:

*Mar 13 20:06:31.731: ISIS-AuthInfo (CORE): IIH no change, use the same hmac value

I'm not sure what that means...

Is this the correct way to run key chains on IS-IS between IOS-XE and IOS-XR? It seems kinda messy to me.

(for reference I'm using IOS-XE Version 16.9.4 and IOS-XR 7.3.2)

Harold Ritter · ‎03-13-2025

Hi @steven.crutchley ,

I am seeing a different behavior testing with 17.3.8.

> isis authentication mode md5` and `isis authentication key-chain <name>` must both be present under the interface on > the IOS-XE device.

The "isis authentication key-chain" can be configured without the "isis authentication mode". The authentication mode is picked up from the key chain.

> The encryption algorithm on the IOS-XE key chain doesn't matter - presumably because `isis authentication mode md5` > overrides it (in fact I've tested with the key chain on IOS-XE have no crypto algorithm and it still works).

If the "isis authentication mode md5" is configured, it overrides the algo from the key chain. Otherwise, the algo configured in the key chain is applied. Supported algos are md5, hmac-sha1, hmac-sha-256, hmac-sha-384 and hmac-sha-512.

> Firstly, it only works with with MD5 on IOS-XE and HMAC-MD5 on IOS-XR but not MD5 on both?

This is because the md5 parameter on the IOS-XE side is really hmac-md5.

> Secondly, is there no way to make the cryptographic algorithm listed under the key chain on the XE take effect?

As I mentioned, with the version I am testing with (17.3.8), you simply need to remove the "isis authentication mode" from the interface for the authentication mode configured in the key chain to take effect.

> *Mar 13 20:06:31.731: ISIS-AuthInfo (CORE): IIH no change, use the same hmac value

Not sure what it means either, but I do not see any of these messages with 17.3.8.

> Is this the correct way to run key chains on IS-IS between IOS-XE and IOS-XR? It seems kinda messy to me.

I would definitely recommend moving to a more recent IOS-XE version. It is cleaner and more flexible.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Joester Brondani · ‎03-31-2025

Hello friends. Just adding to what has already been well explained: In my test lab, I use the iOS XE version 17.03.05, and it is not necessary to use ISIS authentication mode MD5 on the adjacency interfaces, and it is also not necessary to use authentication mode MD5 under the ISIS instance. However, in my CCIE SP exam, in a certain task it was necessary to use them. I do not remember the iOS XE version of the exam.

Best Regards,

Joéster Brondani

CCIE #67731 (SP, EI) , CCDE #20240136