nanog mailing list archives
Re: IGP protocol
From: Saku Ytti <saku () ytti fi>
Date: Sun, 18 Nov 2018 11:58:22 +0200
On Sun, 18 Nov 2018 at 11:15, Mark Tinka <mark.tinka () seacom mu> wrote:
Yes, IS-IS is designed to speak to connected hosts, but will only do so if you enable IS-IS on the interface facing that host. The scope of the exposure, while present, is limited to the radius between your device and the connected host, vs. OSPF which can be attacked from much farther away.
Should. OSPF you can protect in edge with ACL. In ISIS you hope it's protected. 7600 punts it in every interface, if one interface speaks ISIS, because it doesn't have per-interface punt masks. MX: 2012-10-18 0002096778/2012-1018-0446 (test13nqe3) (11.4R5) ++ytti * ISIS gets to control-plane, even when only family inet is configured This was fixed on later releases. Those are only two devices I've specifically tested for this. I don't think people know what happens to ISIS in their platform, if vendor doesn't know. I wonder what these nice BRCM kit do? I know that one of the more popular entrant can't be protected against ANY protocol until 2019Q1, and two of the networks I know running it in the edge, were entirely unaware of it. My point is, perhaps in theory ISIS is more secure, but in practice OSPF is, because OSPF can be protected perfectly in iACL, feature which is available in HW in cheapest L3 switches. Only reason people think different, is because they don't test it.
Running MD5 on your IGP (and iBGP) should be sold at birth.
Yes, or MacSec. -- ++ytti
Current thread:
- Re: IGP protocol, (continued)
- Re: IGP protocol Mark Tinka (Nov 13)
- Re: IGP protocol Mark Tinka (Nov 13)
- Re: IGP protocol Saku Ytti (Nov 13)
- Re: IGP protocol James Bensley (Nov 14)
- Re: IGP protocol Baldur Norddahl (Nov 14)
- SV: IGP protocol Gustav Ulander (Nov 14)
- Re: IGP protocol James Bensley (Nov 15)
- Re: IGP protocol Saku Ytti (Nov 13)
- Re: IGP protocol Alain Hebert (Nov 13)
- Re: IGP protocol Saku Ytti (Nov 13)
- Re: IGP protocol Mark Tinka (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Alfie Pates (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Nick Hilliard (Nov 18)
- Re: IGP protocol Mark Tinka (Nov 18)
- Re: IGP protocol Grant Taylor via NANOG (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Mark Tinka (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Mark Tinka (Nov 19)