OSPF vs IS-IS vs PrivateAS eBGP

Ivan Pepelnjak ip at ioshints.info
Thu Aug 20 07:13:31 CDT 2009


Do not EVER run an SPF routing protocol with your customer. They can insert
anything they want into it (due to configuration mistake, malicious intent
or third-party hijacking) and your whole network (or at least the other
customers) will be affected.

Just to give you a few examples:

* They could hijack the host route to your DNS server and spoof every other
customer of yours that uses your DNS
* They could hijack the host route to your POP3 server and collect the
usernames and passwords of your residential users
* Company A could hijack the host route to the web server of company B. 
* They could insert a better default route than you do and at least some of
your routers will listen to them.
* If they ever make a total mess and start flapping their LSAs, your whole
network will be affected and all your routers will burn CPU running SPF
algorithm.

If you absolutely insist on not using BGP (but then BGP is the only
currently available routing protocol designed to handle routing in scenarios
where the two parties don't necessarily trust each other), use RIP. It's
safer than OSPF, at least you can filter the incoming updates.

Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/

> -----Original Message-----
> From: Clue Store [mailto:cluestore at gmail.com] 
> Sent: Wednesday, August 19, 2009 5:13 PM
> To: nanog at nanog.org
> Subject: OSPF vs IS-IS vs PrivateAS eBGP
> 
> Hi All,
> 
> I know this has been discussed probably many times on this 
> list, but I was looking for some specifics about what others 
> are doing in the following situations.
> 
> I would like to run an IGP (currently OSPF) to our customers 
> that are multi-homed in a non-mpls environment. They are 
> multi-homed with small prefixes that are swipped from my ARIN 
> allocations. OSPF has been flaky at best under certain 
> conditions and I am thinking of making the move to IS-IS.
> I have also seen others going to private AS and running eBGP. 
> This seems a bit much, but if it works, i'd make the move to 
> it as I like bgp the most (all of the BGP knobs give me the 
> warm and fuzzies :).
> 
> I'd also like to see what folks are using in a MPLS network?? 
> OSPFv3 or IS-IS or right to MP-BGP and redist static from the 
> CE to PE???
> 
> On and off list are welcome. I'll make a summary after I 
> gather the info.
> 
> Thanks,
> Clue
> 
> 





More information about the NANOG mailing list