Using crypto auth for detecting corrupted IGP packets?
jared at puck.nether.net
Thu Sep 30 23:25:34 CDT 2010
Sent from my iThing
On Oct 1, 2010, at 12:16 AM, Danny McPherson <danny at tcb.net> wrote:
> On Sep 30, 2010, at 11:34 PM, Manav Bhatia wrote:
>> I would be interested in knowing if operators use the cryptographic
>> authentication for detecting the errors that i just described above.
> Additionally, one might venture to understand the effects of such mechanisms and
> why knob's such as IS-IS's "ignore-lsp-errors" were added ~15 years ago. LSP
> corruption storms driven by receivers that purge corrupted LSPs and originators that
> re-originate and flood on receipt of said purged LSPs are very problematic and
> otherwise difficult to identify in practice.
> Coincidentally, it's also why logging LSPs that trigger such errors is important, whether
> you ignore them or propagate them.
I really wish there was a good way to (generically) keep a 4-6 hour buffer of all control-plane traffic on devices. While you can do that with some, the forensic value is immense when you have a problem.
More information about the NANOG