4.2.4 Ensure loose authentication check is not configured


IS-IS Neighbors should be authenticated.


Where it is deployed, IS-IS routing is vital for normal operation of an organization's network infrastructure. Correct route information is required for routers to correctly direct traffic through the network. An attacker posing as one of the target routers IS-IS neighbors may inject incorrect information into the route table resulting in DoS attack or loss of confidential data through a Man in the Middle attack.

On JUNOS routers it is possible to suppress some authentication features to aid integration with other vendors IS-IS implementations. One of these interoperability features allows you to configure the router to accept both authenticated and unauthenticated IS-IS packets. This is to allow for transition period, where authentication is not yet configured across all devices in a network, but leaves the protocol open to exploitation and should not be left in place once the migration to an authentication method is complete.


If you have deployed IS-IS in your network and have enabled loose authentication checking, re-enable it by issuing the following command from the [edit protocols isis] hierarchy:

[edit protocols isis]
user@host#delete loose-authentication-check

Default Value:

No IS-IS routing is configured by default.

See Also


Item Details


References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: 4ff718a2c194c0e75ad9f6f8575dd3db904194b04c6e7d1257f548e4c7fd198b