nanog mailing list archives
Re: IGP protocol
From: Mark Tinka <mark.tinka () seacom mu>
Date: Sun, 18 Nov 2018 11:11:47 +0200
On 13/Nov/18 17:30, Saku Ytti wrote:
Do you know connected host can't talk ISIS to you? ISIS is false security. In modern platforms OSPF almost always can be protected (iACL), ISIS in many times cannot. I'd run MD5 in either case.
Yes, IS-IS is designed to speak to connected hosts, but will only do so if you enable IS-IS on the interface facing that host. The scope of the exposure, while present, is limited to the radius between your device and the connected host, vs. OSPF which can be attacked from much farther away. Running MD5 on your IGP (and iBGP) should be sold at birth. Mark.
Current thread:
- Re: IGP protocol, (continued)
- Re: IGP protocol Tashi Phuntsho (Nov 14)
- Re: IGP protocol Mark Tinka (Nov 13)
- Re: IGP protocol Mark Tinka (Nov 13)
- Re: IGP protocol Saku Ytti (Nov 13)
- Re: IGP protocol James Bensley (Nov 14)
- Re: IGP protocol Baldur Norddahl (Nov 14)
- SV: IGP protocol Gustav Ulander (Nov 14)
- Re: IGP protocol James Bensley (Nov 15)
- Re: IGP protocol Saku Ytti (Nov 13)
- Re: IGP protocol Alain Hebert (Nov 13)
- Re: IGP protocol Saku Ytti (Nov 13)
- Re: IGP protocol Mark Tinka (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Alfie Pates (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Nick Hilliard (Nov 18)
- Re: IGP protocol Mark Tinka (Nov 18)
- Re: IGP protocol Grant Taylor via NANOG (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Mark Tinka (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Mark Tinka (Nov 19)