nanog mailing list archives

Re: IGP protocol

From: Mark Tinka <mark.tinka () seacom mu>
Date: Sun, 18 Nov 2018 11:11:47 +0200



On 13/Nov/18 17:30, Saku Ytti wrote:

Do you know connected host can't talk ISIS to you?

ISIS is false security. In modern platforms OSPF almost always can be
protected (iACL), ISIS in many times cannot. I'd run MD5 in either
case.


Yes, IS-IS is designed to speak to connected hosts, but will only do so
if you enable IS-IS on the interface facing that host.

The scope of the exposure, while present, is limited to the radius
between your device and the connected host, vs. OSPF which can be
attacked from much farther away.

Running MD5 on your IGP (and iBGP) should be sold at birth.

Mark.

Current thread:

Re: IGP protocol, (continued)
- - - Re: IGP protocol Tashi Phuntsho (Nov 14)
    - Re: IGP protocol Mark Tinka (Nov 13)
- Re: IGP protocol Mark Tinka (Nov 13)
  - Re: IGP protocol Saku Ytti (Nov 13)
    - Re: IGP protocol James Bensley (Nov 14)
    - Re: IGP protocol Baldur Norddahl (Nov 14)
    - SV: IGP protocol Gustav Ulander (Nov 14)
    - Re: IGP protocol James Bensley (Nov 15)
  - Re: IGP protocol Alain Hebert (Nov 13)
    - Re: IGP protocol Saku Ytti (Nov 13)
    - Re: IGP protocol Mark Tinka (Nov 18)
    - Re: IGP protocol Saku Ytti (Nov 18)
    - Re: IGP protocol Alfie Pates (Nov 18)
    - Re: IGP protocol Saku Ytti (Nov 18)
    - Re: IGP protocol Nick Hilliard (Nov 18)
    - Re: IGP protocol Mark Tinka (Nov 18)
    - Re: IGP protocol Grant Taylor via NANOG (Nov 18)
    - Re: IGP protocol Saku Ytti (Nov 18)
    - Re: IGP protocol Mark Tinka (Nov 18)
    - Re: IGP protocol Saku Ytti (Nov 18)
    - Re: IGP protocol Mark Tinka (Nov 19)

(Thread continues...)