OSPF vs ISIS - Which do you prefer & why?

• Previous message (by thread): OSPF vs ISIS - Which do you prefer & why?
• Next message (by thread): OSPF vs ISIS - Which do you prefer & why?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Den 11. nov. 2016 06.41 skrev "Mark Tinka" <mark.tinka at seacom.mu>:
>
>
>
> On 10/Nov/16 21:43, Baldur Norddahl wrote:
>
>>
>> And at the day work I also prefer OSPFv2 simply because I do not need
more protocols in the stack. We are running a MPLS network with the
internet service in a L3VPN. IPv6 is also in the L3VPN. This means the
underlying network is pure IPv4 and totally isolated from the internet. Why
make it more complicated by introducing something that is not IP based?
>
>
> I'd counter that "Why not make it less complicating by removing an
easily-reachable attack vector?"
>
> Sure, you can easily protect your OSPF domain from external attack, but
that's something your router CPU and/or data plane would have to deal with
it had to, and we've all seen situations where filters break in certain
code for various reasons. Or vendors change the way filtering works in
newer code without properly notifying customers about such changes.
>
> Mark.

No filters. There are just no routes that will take a network packet that
arrive on an interface in VRF internet and move it to an interface in VRF
default without adding a MPLS header to mark the VRF. With the MPLS header
the packet type is no longer IPv4 but MPLS.

Therefore there is no way you from the internet or from a customer link can
even attempt to inject packets that would be received by the OSPF process.
Since we use 10.0.0.0/8 and our vrf internet has no such route, you would
just get no route to host if you tried.

Regards

Baldur

• Previous message (by thread): OSPF vs ISIS - Which do you prefer & why?
• Next message (by thread): OSPF vs ISIS - Which do you prefer & why?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]