Using crypto auth for detecting corrupted IGP packets?

Jared Mauch jared at puck.nether.net
Thu Sep 30 23:25:34 CDT 2010


Sent from my iThing

On Oct 1, 2010, at 12:16 AM, Danny McPherson <danny at tcb.net> wrote:

> 
> On Sep 30, 2010, at 11:34 PM, Manav Bhatia wrote:
>> 
>> I would be interested in knowing if operators use the cryptographic
>> authentication for detecting the errors that i just described above.
> 
> Additionally, one might venture to understand the effects of such mechanisms and
> why knob's such as IS-IS's "ignore-lsp-errors" were added ~15 years ago.  LSP
> corruption storms driven by receivers that purge corrupted LSPs and originators that 
> re-originate and flood on receipt of said purged LSPs are very problematic and 
> otherwise difficult to identify in practice.  
> 
> Coincidentally, it's also why logging LSPs that trigger such errors is important, whether 
> you ignore them or propagate them.

I really wish there was a good way to (generically) keep a 4-6 hour buffer of all control-plane traffic on devices. While you can do that with some, the forensic value is immense when you have a problem.

- Jared
> 




More information about the NANOG mailing list