Before we start this topic I assume that everyone went through Integrated IS-IS to gain the basic knowledge and know what we are talking about. For fast recap IS-IS is a link state routing protocol that is mostly and widely used in Service Providers networks. like OSPF, IS-IS exchanges Hello PDUs(1) to discover neighbors and form adjacencies. Hello PDUs are transmitted over the link every 10 seconds by default and can be changed by the command isis hello-interval per interface.
Hello PDUs are used by IS-IS to identify itself and its capabilities and to describe the parameters of the interface on which the Hellos are sent. If two neighbors are in agreement about their respective capabilities and interface parameters, they become adjacent.
Once an adjacency is established, the Hellos act as keepalives. Each router sends a hold time in its Hellos informing its neighbors how long they should wait to hear the next Hello before declaring the router dead and this hold time can be changed by using the command isis hello-multiplier per the interface.
Unlike OSPF, IS-IS neighbors can have different Hello interval and multiplier “holdtime” as everyone inform its neighbor how long should he wait for the Hello and how many missed Hellos before assuming this adjacency dead.
For security issues, authentication methods in IS-IS are different and a lot to meet the needs for all types of networks. In IS-IS we have the ability to encrypt the Hello PDUs which will affect directly the adjacency if keys on both sides are not matched, also we have the ability to encrypt the LSPs which will not affect the adjacency but will affect the databases entries if keys are not matched, also there is the old way of authentication per area or domain and which level should be authenticated or both. we also should know that for every method we can use plain text or MD5 passwords.
Example 1 – Adjacency authentication “by authenticating Hello PDUs”
Example 2 – Authentication for LSPs flooded to Area/Domain
From the first and the second examples we face that the difference between the two methods is where to apply the configuration per interface level for authenticating Hello PDUs and per ISIS instance for authenticating Link State Packets.
(1) A data unit passed from an OSI layer of one node to the peer OSI layer of another node is called a Protocol Data Unit (PDU). So a frame is a Data Link PDU (DLPDU), and a packet is a Network PDU (NPDU). The data unit that performs the equivalent function of the OSPF LSA is the Link State PDU (LSP). Unlike LSAs, which are encapsulated behind an OSPF header and then an IP packet, an LSP is itself a packet.