nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security inside AS

From: Glen Kent <glen.kent () gmail com>
Date: Mon, 23 Jan 2006 09:53:13 +0530

Yes - we do for IBGP, IS-IS, OSPF (where relevent), also LDP,
HSRP, and anything else that offers the feature (even cleartext).
It proves a useful guard against misconfiguration, as well as
preventing certain security issues.
--

Just one more question. What kind of misconfiguration isues does using
passwords/authentication solve/prevent?

In IS-IS there are no anti-replay attacks support. Have you heard
anyone facing replay attacks in IS-IS, or any other protocol for that
matter.


It stops you bringing up adjacencies where the link/circuit has been
mis-patched/mis-provisioned - at turn up time and once in service.
We once had a supplier screw up an in-service core OC-3 such that it came
up connected inside another ISPs core (!) - ppp auth would have helped
here too, though it was HDLC at the time.

I'm not too worried about IS-IS replay - it's much harder to get the
nasty traffic into the core, than with IP.

--
We do IGP routing protocol authentication on every LAN/MAN/WAN in the
105 offices I am responsible for.  But we are a customer, not an
external public ISP.

--

But do we really have service providers who enable authentication
(MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?


Yes, esp for ospf as it can be attacked from off-link.
--
Glen,

You mean: are there ISP's who don't?

I would like to protect my infra to easy mistakes like forgetting to
make an interface passive and exidently connecting my igp to a
customers.

So: md5 it is. :)
--


But do we really have service providers who enable authentication
(MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?


Yes, we do.  Approx 500 IGP-speaking devices and OSPF.
--


But do we really have service providers who enable authentication
(MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?


       Yes, i know of several providers who do this.

--


But do we really have service providers who enable authentication
(MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?



Yes, I've always used MD5 with OSPF and I've even been paranoid
enough to filter routing protocols at my network edges.

Cheers,
Glen

--


Glen,

Good question! I'm also trying to figure out how much this is used internally. Could you send a summary to the list 
(or privately)?
Previous By Date Next
Previous By Thread Next

Current thread: