New style IS-IS authentication (IS-IS HMAC-MD5 and clear text) provides a number of advantages over the old style password
configuration commands that were described in the previous sections, "Setting an Authentication Password for each Interface"
and "Setting a Password at Level 1".
-
Passwords are encrypted when the software configuration is displayed.
-
Passwords are easier to manage and change.
-
Passwords can be rolled over to new passwords without disrupting network operations.
-
Non-disruptive authentication transitions are supported by allowing configuration which allowed the router to accept PDUs
without authentication or with stale authentication information, yet send PDUs with current authentication. Such transitions
are useful when you are migrating from no authentication to some type of authentication, when you are changing authentication
type, and when you are changing keys.
IS-IS has five PDU types: link state PDU (LSP), LAN Hello, Point-to-Point Hello, complete sequence number PDU (CSNP), and
partial sequence number PDU (PSNP). IS-IS HMAC-MD5 authentication or clear text password authentication can be applied to
all five PDU types. The authentication can be enabled on different IS-IS levels independently. The interface-related PDUs
(LAN Hello, Point-to-Point Hello, CSNP, and PSNP) can be enabled with authentication on different interfaces, with different
levels and different passwords.
Either authentication mode or old password mode may be configured on a given scope (IS-IS instance or interface) and level--bit
not both. However, different modes may be configured for different modes mat be configured for different scopes or levels.
If mixed modes are intended, different keys should be used for different modes in order not to compromise the encrypted password
in the PDUs.